Configure CORS when accessing AWS ELB service using AWS-SDK-JS

Question

I'm working on a ELB monitoring application that I'd like to build with JS and host directly in S3. I have no experience of JS and I'm struggling to get to grips with CORS.

I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.

I have integrated Amazon login (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-configuring-wif.html) with my script and I have attached it to an IAM WebIdentity role.

When I call

elb.describeInstanceHealth(elbRequestParams).on('success', describeInstanceHealthCallback).send();

I get an error in Javascript console

XMLHttpRequest cannot load 'elasticloadbalancing.eu-west-1.amazonaws.com/'. The request was redirected to 'aws.amazon.com/elasticloadbalancing', which is disallowed for cross-origin requests that require preflight.

I can't find any clear documentation that what I'm trying to do won't work, but, I'll admit I'm confused by some of the terms in the documentation and I have no experience of CORS in previous applications to fall back on. I would think the whole JS-SDK for the browser is a bit redundant if the majority of services aren't CORS aware and need to be.

I can get this working by disabling web-security in my Chrome browser, obviously this isn't a good workaround but would indicate to me that CORS is the issue.

Is anyone familiar with this approach, is it a problem that I'm hosting on S3, or, would I have this problem from any server? Should I be configuring my S3 bucket with CORS, or, is it that there's no CORS policy on the 'elasticloadbalancing.eu-west-1.amazonaws.com' endpoint?

Thanks

Andrew

Answer 1

I have successfully created a build of the SDK for my browser (http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-building.html) which includes ELB API support.

The referenced page already provides the first clue towards the lack of CORS support for elasticloadbalancing.eu-west-1.amazonaws.com you correctly suspect to be the cause here:

If you are working with the SDK outside of an environment that enforces CORS in your browser and want access to the full gamut of services provided by the AWS SDK for JavaScript, it is possible to build a custom copy of the SDK locally by cloning the repository and running the same build tools used to generate the default hosted version of the SDK.

That is, the main reason for the official AWS SDK for JavaScript in the Browser excluding all but the currently 5 services listed in section Supported Services within Working with Services in the Browser is their lack of CORS support:

It is possible to use the SDK with other services if CORS security checking is disabled in your environment. In this case, you can build your own custom version of the SDK. See the Building the SDK section of the guide for more information on how to create a custom build of the SDK.

Unfortunately neither Amazon EC2 nor Elastic Load Balancing currently offers CORS support, see e.g. this recent Feature Request (CORS support for EC2 service), where the author rightfully reaches the same conclusion as you did already (while also hinting on Node.js to be another major use case, which supports all available AWS services, see Working with Services in Node.js):

From my point of view if AWS is providing a aws-sdk-js library all AWS services supported by this library should support CORS so that the aws-sdk-js iibrary is not just useable in a node.js environment but also in a browser.

While I agree in principle and would have expected faster turnaround times on this myself, AWS is well known for an agile approach to product development, i.e. start early with a small feature set and improve over time based on customer feedback. Notably the SDK is labeled Developer Preview only, i.e. not even BETA yet and I'd hope this to be addressed in the future accordingly - admittedly this is easily overlooked and a more prominent warning might go a long way in sparing users the time to figure out this limitation by themselves.