Static Site With S3
Creating a site using Amazon S3 as an Origin
This guide describes the process of creating a CDN site using StackPath's API and setting it up to use an Amazon S3 bucket as its origin. This guide also describes how this can be done from our customer Control Portal.
Placing StackPath's CDN in front of your S3 bucket has important advantages both for you and for your customers. Your S3 assets will be cached at StackPath's CDN edges, reducing bandwidth costs and lowering latency to deliver assets to customers. Cached assets also provide a way to deliver S3 assets even when S3 is down.
This guide also shows how to use Amazon's secretAccessKey
and accessKeyId
to allow StackPath's CDN to connect to a protected, or private, S3 bucket.
Before you begin
This guide assumes you have already created StackPath API credentials, generated a bearer token and created a Stack with CDN services enabled. If you have not done so yet, please see the Authentication page.
Create a CDN Site
The first step is to make an API call to the Create a site endpoint, creating a CDN site:
curl -X POST https://gateway.stackpath.com/cdn/v1/stacks/STACK_ID/sites \
-H "Authorization: bearer BEARER_TOKEN" \
-H 'Content-Type: application/json' \
-d '
{
"domain": "domain.com",
"origin": {
"path": "/",
"hostname": "my-bucket.s3.amazonaws.com",
"port": 80,
"securePort": 443
},
"features": [
"CDN"
],
"type": "CDN"
}'
Remember to replace STACK_ID with the Stack ID or Stack Slug and BEARER_TOKEN with your authentication token.
Replace domain.com
with the domain of your website and my-bucket.s3.amazonaws.com
with your S3 bucket's domain name.
This request returns a JSON object that looks something like this:
{
"site":{
"id": "0ac0a3a7-ff9d-421f-8cce-4f3d55db93ae",
"stackId": "993aba44-1234-433d-be5d-72dbdf62f6a5",
"label": "domain.com",
"status": "ACTIVE",
"createdAt": "2019-02-08T21:37:25.742801Z",
"updatedAt": "2019-02-08T21:37:32.312754Z",
"enabled": true,
"type": "CDN"
}
}
The ID in the above JSON object is what you will use as the SITE_ID going forward in subsequent API calls.
Retrieve the Root CDS Scope ID
In order to set your S3 bucket as the origin of our new CDN site, you will need to submit a PATCH request. Before you can submit that request, you need to obtain the scope ID. Remember, the scope ID is identified by the path value "/" and platform value "CDS".
For more information on how to obtain the scope ID, please see StackPath IDs Explained.
The API call used to retrieve the scope ID along with the JSON response is shown below. Remember to replace STACK_ID, SITE_ID AND BEARER_TOKEN accordingly:
curl -X GET https://gateway.stackpath.com/cdn/v1/stacks/STACK_ID/sites/SITE_ID/scopes \
-H "Authorization: bearer BEARER_TOKEN" \
-H "Content-Type: application/json"
{
"pageInfo": {
"totalCount": "2",
"endCursor": "1"
},
"results": [
{
"id": "80492418-9896-4735-80e3-adb37019e001",
"platform": "CDS",
"path": "/"
},
{
"id": "c4a4b765-8f8a-4233-8459-935871d8d60d",
"platform": "ALL",
"path": "/"
}
]
}
The scope ID we are going to use in the next step is 80492418-9896-4735-80e3-adb37019e001
.
Enable S3 as your Origin
The final call to the API is a PATCH request to the Update a scope's configuration endpoint that tells our platform that you want to set up S3 as your origin on your CDN site.
If you are using a private S3 bucket, make sure to replace SECRET_ACCESS_KEY
and ACCESS_KEY_ID
with the values provided by Amazon when you setup your S3 bucket. This is what allows our CDN platform to securely login to your bucket. Omit these two objects if you are using a public S3 bucket.
Make sure the awsRegion
value is correct based on where your S3 bucket lives. In this example, we're using "us-east-2".
Last, make sure the originPull
value is set correctly to the fully qualified domain name of your S3 bucket. We send this host header to Amazon to make sure it gets routed correctly.
curl -X PATCH https://gateway.stackpath.com/cdn/v1/stacks/YOUR_STACK_ID/sites/SITE_ID/scopes/SCOPE_ID/configuration \
-H "Authorization: bearer BEARER_TOKEN" \
-H "Content-Type: application/json" \
-d '
{
"configuration": {
"awsSignedOriginPullV4": [
{
"enabled": true,
"secretAccessKey": "SECRET_ACCESS_KEY",
"accessKeyId": "ACCESS_KEY_ID",
"awsRegion": "us-east-2",
"awsService": "s3",
"expireTimeSeconds": 5,
"authenticationType": "header"
}
],
"staticHeader": [
{
"originPull": "Host: my-bucket.s3.amazonaws.com"
}
]
}
}'
This request returns a JSON object containing the scope's full configuration options currently set. The snippet below is the important excerpt from the response. It should contain:
{
"configuration": {
"accessLogs": {
"id": "435462008",
"enabled": false
},
"awsSignedOriginPullV4": [
{
"id": "3016776472",
"enabled": true,
"accessKeyId": "ACCESS_KEY_ID",
"awsRegion": "us-east-2",
"awsService": "s3",
"expireTimeSeconds": 5,
"authenticationType": "header"
}
],
"staticHeader": [
{
"id": "735920235",
"originPull": "Host: my-bucket.s3.amazonaws.com"
}
]
}
}
If you are using a private S3 bucket, then the accessKeyId
is returned in the response, but the API will never return the secretAccessKey
. Once it goes in, it cannot ever be retrieved. You will only ever need to include the secretAccessKey
value in your PATCH request if it changes or you want to connect this CDN site to a different S3 bucket. To remove it completely from StackPath's platform, either delete the configuration policy or delete the CDN site.
If you want to put even more security in front of this CDN endpoint, you can always add our WAF service to protect your CDN from attacks, as well as use our EdgeEngine to implement your own custom authentication using JWT or other mechanisms to make sure only validated requests are made to get S3 assets. More info on this is available on Stackpath's EdgeEngine examples page at GitHub. While you're there, check out the EdgeEngine CLI which makes deploying EdgeEngine scripts as easy as running a single command.
Updated 5 months ago