CloudFront Middleware enables managed clients to securely access a munki repo from Amazon's CloudFront Global Content Delivery Network. CloudFront has lower transit costs than using S3 directly and can offer better performance to managed clients that are outside of an S3 bucket's region.
CloudFront Middleware uses a CloudFront private key to create and sign requests for private CloudFront resources. Each signed request includes an expiration date after which the request is longer valid.
CloudFront key pairs are available from the AWS Security Credentials dashboard. Each AWS account can have a maximum of two CloudFront key pairs (active or inactive) at a time, allowing for periodic rotation of the private key. It is possible to grant an AWS account other than the CloudFront distribution owner the ability to sign CloudFront requests.
- Amazon S3 bucket with your munki repo inside.
- CloudFront distribution serving this origin with restricted access to your S3 content.
- CloudFront private key of an AWS account that is a trusted signer of this CloudFront distribution.
-
Install
middleware_cloudfront.py
to/usr/local/munki/
. -
Set the munki preference
SoftwareRepoURL
to your CloudFront Distribution URL. -
Set CloudFront Middleware preferences for your Access Key ID and the resource expiration timeout in minutes. If unset expiration will default to 60 minutes.
sudo defaults write com.github.aaronburchfield.cloudfront access_id -string "YOURACCESSKEYID" sudo defaults write com.github.aaronburchfield.cloudfront expire_after -int 30
-
If you are using an Alternate Domain Name, set the preference for your domain name.
sudo defaults write com.github.aaronburchfield.cloudfront domain_name -string "munki.megacorp.com"
-
Install a trusted signer's CloudFront private key and set strict permissions.
sudo cp pk-YOURACCESSKEYID.pem /usr/local/munki/munkiaccess.pem sudo chown root:wheel /usr/local/munki/munkiaccess.pem sudo chmod 400 /usr/local/munki/munkiaccess.pem
-
Run munki and verify that signed CloudFront requests are being made.
sudo managedsoftwareupdate --checkonly -vvv
The included luggage makefile can be used to create an installer package for CloudFront Middleware.
- With an AWS Root account generate a CloudFront Key Pair, saving the private key as
munkiaccess.pem
in the root of this repo. - Replace the Access Key ID on line 4 of the postinstall script with the ID of your CloudFront Key Pair.
make pkg
and install.- Set your
SoftwareRepoURL
to your CloudFront Distribution address and run munki.