CloudFront Middleware enables managed clients to securely access a munki repo from Amazon's CloudFront Global Content Delivery Network. CloudFront has lower transit costs than using S3 directly and can offer better performance to managed clients that are outside of an S3 bucket's region.
CloudFront Middleware uses a CloudFront private key to create and sign requests for private CloudFront resources. Each signed request includes an expiration date after which the request is no longer valid.
CloudFront private keys are available from the AWS Security Credentials dashboard. Each AWS root account can have a maximum of two CloudFront private keys (active or inactive) at a time, allowing for periodic rotation of the private key. It is possible to grant an AWS account other than the CloudFront distribution owner the ability to sign CloudFront requests.
CloudFront now supports public key management through IAM user permissions for signed URLs and cookies. This is now the preferred method for signing urls as it has various benefits such as key groups, which are sets of multiple public keys which can be created by IAM users based on permissions you grant, and the ability to manage and rotate public keys via CloudFront's api.
Munki 4 introduces an embedded Python runtime which does not include the same set of Python modules that were available in Python runtimes provided by Apple. To use CloudFront Middleware with Munki 4's embedded Python framework you must rebuild the munkitools installer with additional Python modules and deploy this to your clients.
Additional information about customizing Munki's Python framework is available on the Munki wiki.
CloudFront Middleware 2.0 is backwards compatible with Munki 3.6 and Apple's Python 2.7 runtime. Python 2.7 support will be removed in a future version.
Clone munki/munki locally and change into that directory. (use the Munki3dev
branch until Munki 4 is released).
Append rsa
to code/tools/py3_requirements.txt
. It should now look like this:
xattr==0.9.6
pyobjc==5.1.2
six
rsa
Run code/tools/build_python_framework.sh
to build Munki's Python.framework.
Run code/tools/make_munki_mpkg.sh
to build the munkitools package containing our Python.framework.
Install the resulting munkitools package.
Install middleware_cloudfront.py
to /usr/local/munki/
.
Set the munki preference SoftwareRepoURL
to your CloudFront Distribution URL.
Set CloudFront Middleware preferences for your Access Key ID and the resource expiration timeout in minutes. If unset expiration will default to 60 minutes.
sudo defaults write com.github.aaronburchfield.cloudfront access_id -string "YOURACCESSKEYID"
sudo defaults write com.github.aaronburchfield.cloudfront expire_after -int 30
If you are using an Alternate Domain Name, set the preference for your domain name.
sudo defaults write com.github.aaronburchfield.cloudfront domain_name -string "munki.megacorp.com"
Install a trusted signer's CloudFront private key and set strict permissions.
sudo cp pk-YOURACCESSKEYID.pem /usr/local/munki/munkiaccess.pem
sudo chown root:wheel /usr/local/munki/munkiaccess.pem
sudo chmod 400 /usr/local/munki/munkiaccess.pem
Run munki and verify that signed CloudFront requests are being made.
sudo managedsoftwareupdate --checkonly -vvv
The included luggage makefile can be used to create an installer package for CloudFront Middleware.
munkiaccess.pem
in the root of this repo.make pkg
and install.SoftwareRepoURL
to your CloudFront Distribution address and run munki.An alterative to setting values via defaults
is to use a profile. As of version 1.1, you can now include the CloudFront certificate and all other settings via a profile. This allows easy rotation of the certificate via alterative delivery methods like Mobile Device Management or a configuration management tool. It is still required to drop the middleware_cloudfront.py
file on disk into the proper directory.
To create a profile use the create_profile.py
script. See the help menu --help
for all options. Example usage can be seen below:
./create_profile.py --cert ~/Desktop/cloudfront.pem --access_id "XXXXXXX" --org_name "Example Org" --desc "Munki CloudFront Settings"