Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

How to use CloudFront signed URLs with Fleet

{{articleSubtitle}}

| The author's GitHub profile picture

Victor Lyuboslavsky

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

How to use CloudFront signed URLs with Fleet

{{articleSubtitle}}

| The author's GitHub profile picture

Victor Lyuboslavsky

How to use CloudFront signed URLs with Fleet

Available in Fleet Premium.

Fleet v4.63.0 allows you to use CloudFront signed URLs for downloading MDM bootstrap packages and software installation packages to your hosts. This speeds up onboarding for organizations that onboard new employees at different headquarters across the world.

CloudFront signed URLs grant access to a specific CloudFront distribution resource and are valid for a specified duration.

Prerequisites

  • Fleet v4.63.0
  • Orbit v1.39.0 agent installed on hosts (for software installation packages)
  • S3 bucket with CloudFront distribution and a signing key pair

To add a CloudFront distribution with a signer to your S3 bucket, follow the instructions in the AWS documentation or the How to securely serve private CDN content using CloudFront guide written by one of our engineers.

Configure Fleet server for S3 and CloudFront

To configure S3 and CloudFront in Fleet, use the S3 server configuration options. Set these options via the command line, environment variables, or a configuration file.

To enable CloudFront signed URLs, set the following options in your Fleet server configuration:

  • s3_software_installers_cloudfront_url: The base URL of your CloudFront distribution, such as https://d1234567890.cloudfront.net.
  • s3_software_installers_cloudfront_url_signing_public_key_id: The CloudFront signer's key pair ID, such as K1HFGXOMBB6TFF.
  • s3_software_installers_cloudfront_url_signing_private_key: The CloudFront signer's private key, such as -----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAz....

The FLEET_S3_SOFTWARE_INSTALLERS_CLOUDFRONT_URL_SIGNING_PRIVATE_KEY environment variable can be set from a file. On macOS, it requires gnu-sed (gsed) to replace newlines with \n characters.

export FLEET_S3_SOFTWARE_INSTALLERS_CLOUDFRONT_URL_SIGNING_PRIVATE_KEY=$(cat ./private_key.pem | gsed -z 's/\n/\\n/g')

Non-signed CDN URLs are not secure and are not supported.

Use CloudFront signed URLs in Fleet

Once configured, Fleet will automatically use CloudFront signed URLs to install MDM bootstrap packages and software packages on your hosts. The signed URLs are generated on the fly and are valid for six hours.

If the Fleet server encounters an error while generating a signed URL for the bootstrap package, it will fall back to using the Fleet server's URL.

If the Orbit agent encounters an error while downloading a software package using a signed URL, it will retry the download using the Fleet server's URL.

To make sure that the signed URLs are working correctly, you can check the CloudFront logs (if enabled) as well as APM or Fleet server debug logs. In APM or Fleet server logs, you should NOT see devices downloading packages from the Fleet server's non-CDN API paths, such as:

  • GET /api/v1/fleet/bootstrap
  • POST /api/fleet/orbit/software_install/package

Conclusion

Using CloudFront signed URLs with Fleet can help speed up downloads and reduce the load on your Fleet server. If you have any questions or need help configuring CloudFront signed URLs, please contact our support team.