https://github.com/henrist/cdk-cloudfront-auth
CloudFront authorization with Cognito for CDK
https://github.com/henrist/cdk-cloudfront-auth
cdk cloudfront cognito
Last synced: about 1 month ago
JSON representation
CloudFront authorization with Cognito for CDK
- Host: GitHub
- URL: https://github.com/henrist/cdk-cloudfront-auth
- Owner: henrist
- License: mit
- Created: 2020-07-11T01:58:54.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2026-02-26T18:50:53.000Z (about 1 month ago)
- Last Synced: 2026-02-27T00:40:39.521Z (about 1 month ago)
- Topics: cdk, cloudfront, cognito
- Language: TypeScript
- Homepage:
- Size: 5.76 MB
- Stars: 19
- Watchers: 2
- Forks: 9
- Open Issues: 13
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# CloudFront authorization with Cognito for CDK
Easily add Cognito-based authorization to your CloudFront distribution,
to place static files behind authorization.
This is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
## Usage
```bash
npm install @henrist/cdk-cloudfront-auth
```
Deploy the Lambda@Edge functions to us-east-1:
```ts
// In a stack deployed to us-east-1.
const authLambdas = new AuthLambdas(this, "AuthLambdas", {
regions: ["eu-west-1"], // Regions to make Lambda version params available.
})
```
Deploy the Cognito and CloudFront setup in whatever region
of your choice:
```ts
const auth = new CloudFrontAuth(this, "Auth", {
cognitoAuthDomain: `${domain.domainName}.auth.${region}.amazoncognito.com`,
authLambdas, // AuthLambdas from above
userPool, // Cognito User Pool
})
const distribution = new cloudfront.Distribution(this, "Distribution", {
defaultBehavior: auth.createProtectedBehavior(origin),
additionalBehaviors: auth.createAuthPagesBehaviors(origin),
})
auth.updateClient("ClientUpdate", {
signOutUrl: `https://${distribution.distributionDomainName}${auth.signOutRedirectTo}`,
callbackUrl: `https://${distribution.distributionDomainName}${auth.callbackPath}`,
})
```
If using `CloudFrontWebDistribution` instead of `Distribution`:
```ts
const distribution = new cloudfront.CloudFrontWebDistribution(this, "Distribution", {
originConfigs: [
{
behaviors: [
...auth.authPages,
{
isDefaultBehavior: true,
lambdaFunctionAssociations: auth.authFilters,
},
],
},
],
})
```
## Customizing authorization
The `CloudFrontAuth` construct accepts a `requireGroupAnyOf` property
that causes access to be restricted to only users in specific groups.