Skip to content

Commit

Permalink
DO-1554: use task role instead of the access key pair to access the s…
Browse files Browse the repository at this point in the history
…3 bucket
  • Loading branch information
krishanthisera committed Oct 19, 2023
1 parent 4d4cb04 commit 9de586e
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 13 deletions.
7 changes: 6 additions & 1 deletion packages/prerender-fargate/index.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
import { PrerenderFargate } from "./lib/prerender-fargate";
import { PrerenderFargateOptions } from "./lib/prerender-fargate-options";
import { PrerenderTokenUrlAssociationProps as PrerenderTokenUrlAssociationOptions } from "./lib/recaching/prerender-tokens";

export { PrerenderFargate, PrerenderFargateOptions };
export {
PrerenderFargate,
PrerenderFargateOptions,
PrerenderTokenUrlAssociationOptions,
};
16 changes: 4 additions & 12 deletions packages/prerender-fargate/lib/prerender-fargate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -115,15 +115,6 @@ export class PrerenderFargate extends Construct {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
});

// Configure access to the bucket for the container
const user = new User(this, "PrerenderAccess");
this.bucket.grantReadWrite(user);

const accessKey = new AccessKey(this, "PrerenderAccessKey", {
user: user,
serial: 1,
});

const vpcLookup = vpcId ? { vpcId: vpcId } : { isDefault: true };
const vpc = ec2.Vpc.fromLookup(this, "vpc", vpcLookup);

Expand Down Expand Up @@ -165,8 +156,6 @@ export class PrerenderFargate extends Construct {
containerPort: 3000,
environment: {
S3_BUCKET_NAME: this.bucket.bucketName,
AWS_ACCESS_KEY_ID: accessKey.accessKeyId,
AWS_SECRET_ACCESS_KEY: accessKey.secretAccessKey.unsafeUnwrap(),
AWS_REGION: Stack.of(this).region,
ENABLE_REDIRECT_CACHE: enableRedirectCache || "false",
TOKEN_LIST: tokenList.toString(),
Expand All @@ -188,7 +177,10 @@ export class PrerenderFargate extends Construct {
),
}
);


// Grant S3 Bucket access to the task role
this.bucket.grantReadWrite(fargateService.taskDefinition.taskRole);

// As the prerender service will return a 401 on all unauthorised requests
// It should be considered healthy when receiving a 401 response
fargateService.targetGroup.configureHealthCheck({
Expand Down

0 comments on commit 9de586e

Please sign in to comment.