CloudFront Middleware enables managed clients to securely access a munki repo from Amazon's CloudFront Global Content Delivery Network. CloudFront has lower transit costs than using S3 directly and can offer better performance to managed clients that are outside of an S3 bucket's region.
CloudFront Middleware uses a CloudFront private key to create and sign requests for private CloudFront resources. Each signed request includes an expiration date after which the request is no longer valid.
CloudFront private keys are available from the AWS Security Credentials dashboard. Each AWS root account can have a maximum of two CloudFront private keys (active or inactive) at a time, allowing for periodic rotation of the private key. It is possible to grant an AWS account other than the CloudFront distribution owner the ability to sign CloudFront requests.
CloudFront now supports public key management through IAM user permissions for signed URLs and cookies. This is now the preferred method for signing urls as it has various benefits such as key groups, which are sets of multiple public keys which can be created by IAM users based on permissions you grant, and the ability to manage and rotate public keys via CloudFront's api.
- Customized Munkitools with additional Python modules.
- Amazon S3 bucket with your munki repo inside.
- CloudFront distribution serving this origin with restricted access to your S3 content.
- CloudFront private key of an AWS account that is a trusted signer of this CloudFront distribution OR
- CloudFront private key of a key pair, of which the public key is added to CloudFront and associated with a key group allowed access to this CloudFront distribution
Munki 4 introduces an embedded Python runtime which does not include the same set of Python modules that were available in Python runtimes provided by Apple. To use CloudFront Middleware with Munki 4's embedded Python framework you must rebuild the munkitools installer with additional Python modules and deploy this to your clients.
Additional information about customizing Munki's Python framework is available on the Munki wiki.
CloudFront Middleware 2.0 is backwards compatible with Munki 3.6 and Apple's Python 2.7 runtime. Python 2.7 support will be removed in a future version.
-
Clone munki/munki locally and change into that directory. (use the
Munki3dev
branch until Munki 4 is released). -
Append
rsa
tocode/tools/py3_requirements.txt
. It should now look like this:xattr==0.9.6 pyobjc==5.1.2 six rsa
-
Run
code/tools/build_python_framework.sh
to build Munki's Python.framework. -
Run
code/tools/make_munki_mpkg.sh
to build the munkitools package containing our Python.framework. -
Install the resulting munkitools package.
-
Install
middleware_cloudfront.py
to/usr/local/munki/
. -
Set the munki preference
SoftwareRepoURL
to your CloudFront Distribution URL. -
Set CloudFront Middleware preferences for your Access Key ID and the resource expiration timeout in minutes. If unset expiration will default to 60 minutes.
sudo defaults write com.github.aaronburchfield.cloudfront access_id -string "YOURACCESSKEYID" sudo defaults write com.github.aaronburchfield.cloudfront expire_after -int 30
-
If you are using an Alternate Domain Name, set the preference for your domain name.
sudo defaults write com.github.aaronburchfield.cloudfront domain_name -string "munki.megacorp.com"
-
Install a trusted signer's CloudFront private key and set strict permissions.
sudo cp pk-YOURACCESSKEYID.pem /usr/local/munki/munkiaccess.pem sudo chown root:wheel /usr/local/munki/munkiaccess.pem sudo chmod 400 /usr/local/munki/munkiaccess.pem
-
Run munki and verify that signed CloudFront requests are being made.
sudo managedsoftwareupdate --checkonly -vvv
The included luggage makefile can be used to create an installer package for CloudFront Middleware.
- With an AWS Root account generate a CloudFront Key Pair, saving the private key as
munkiaccess.pem
in the root of this repo. - Replace the Access Key ID on line 4 of the postinstall script with the ID of your CloudFront Key Pair.
make pkg
and install.- Set your
SoftwareRepoURL
to your CloudFront Distribution address and run munki.
An alterative to setting values via defaults
is to use a profile. As of version 1.1, you can now include the CloudFront certificate and all other settings via a profile. This allows easy rotation of the certificate via alterative delivery methods like Mobile Device Management or a configuration management tool. It is still required to drop the middleware_cloudfront.py
file on disk into the proper directory.
To create a profile use the create_profile.py
script. See the help menu --help
for all options. Example usage can be seen below:
./create_profile.py --cert ~/Desktop/cloudfront.pem --access_id "XXXXXXX" --org_name "Example Org" --desc "Munki CloudFront Settings"