distribute via signed s3 urls rather than signed cloudfront urls #204
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
grfn.asf.alaska.edu originally distributed via signed S3 URLs using a similar mechanism. We implemented distribution via signed CloudFront URLs in late 2018 as an excuse to prototype with the service; there was never a compelling business case for it.
Transitioning back to signed S3 URLs will allow us to recoup a portion of our data distribution costs via the Global Data Egress Waiver, as well as reducing/eliminating costs for requests originating within AWS.
This PR will need to be merged in coordination with another PR to grfn-logging. The log-parse lambda of grfn-logging will need to once again generate EMS distribution metrics from S3 access logs, rather than CloudFront access logs.
After this PR is merged we can:
CLOUDFRONT_KEY_PAIR_IDandPRIVATE_KEY_SECRET_NAMEenvironment secretsgrfn-content-[test|prod]buckets allowing read access to the now-defunct CloudFront Origin Access Identitycloudfront-private-keyAWS Secrets Manager secret