Skip to main content

Cloudfront Setup

Step 1: Generate Private Key Locally

CLOUDFRONT_ENV=jodapp-{env}
# 1. Generate a 2048-bit RSA private key
openssl genrsa -out aws-cloudfront-private-key-$CLOUDFRONT_ENV.pem 2048

# 2. Extract the public key from the private key
openssl rsa -pubout -in "aws-cloudfront-private-key-$CLOUDFRONT_ENV.pem" -out "aws-cloudfront-public-key-$CLOUDFRONT_ENV.pem"

Step 2: Upload Public Key & Create Key Group in AWS

  • Navigate to CloudFront: Go to the AWS Management Console -> CloudFront.

  • Create Public Key:

    • In the left navigation pane, click Public keys.
    • Click Create public key.
    • Give it a name, same as the file name (i.e. aws-cloudfront-public-key-jodapp-{env})
    • Open your aws-cloudfront-public-key-jodapp-{env}.pem file with a text editor, copy the entire contents (including -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----), and paste it into the Key field.
    • Click Create.

  • Create Key Group:

    • In the left navigation pane, click Key groups.
    • Click Create key group.
    • Give it a name, like jodapp-dev-signer-group.
    • Select the public key you just created (jodapp-dev-signer-key) from the dropdown and click Add.
    • Click Create key group

Step 3: Securely Store and Use Your Private Keys

This is the most critical step. We will use AWS SSM Parameter Store.

For Production and QA (EC2 Instances):

Store the Private Key:

  • Navigate to AWS Systems Manager -> Parameter Store.
  • Click Create parameter.
  • Name: /jodapp/prod/CLOUDFRONT_PRIVATE_KEY
  • Tier: Standard
  • Type: SecureString (This encrypts the value using AWS KMS).
  • Value: Copy the entire contents of your private_key_prod.pem file and paste it here.
  • Click Create parameter. Repeat for QA (/jodapp/qa/CLOUDFRONT_PRIVATE_KEY).

Grant Access via IAM Role:

  • Create an IAM Role for your production EC2 instances (e.g., jodapp-prod-app-role).
  • Attach a policy to this role that allows it to read only the specific secret it needs.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_ID:parameter/jodapp/prod/CLOUDFRONT_PRIVATE_KEY"
        }
    ]
}
  • Application Code: In your Rails application, use the AWS SDK to fetch the key on startup. The SDK will automatically use the EC2 instance's role for credentials. No keys are ever stored on the disk.