Oolvay’s cloud infrastructure is provisioned with the AWS CDK and managed entirely from your project’s infra/ directory. This page covers the shared setup that both Storage and Email depend on. Storage and Email pick up from where this page leaves off.
Running the Oolvay CDK stack creates the following AWS resources:
| Resource | Service | Purpose |
|---|---|---|
| Private bucket | S3 | Stores user-uploaded files (avatars, attachments) |
| CDN distribution | CloudFront | Serves files to users globally with caching |
| Runtime IAM user | IAM | Restricted credentials your Next.js server uses at runtime |
| Email identity | SES | (Optional) Domain verification for transactional email |
You only need one AWS account and one CDK deployment. Storage and email are separate stacks but share the same bootstrap and profile setup described on this page.
Before running any CDK commands, you need:
AdministratorAccess, used only by you to build infrastructure and never by the app itself0 / 2,000 characters
Do not use your AWS root account credentials. Create a dedicated IAM admin user and generate access keys for it.
Install the AWS CLI for your operating system.
brew install awscliConfirm the CLI is installed.
aws --versionConfigure a named profile using your IAM admin user’s access keys. The profile name dev-admin is used throughout this guide, but you can choose any name you like, but use it consistently.
aws configure --profile dev-adminYou will be prompted for four values:
| Prompt | Value |
|---|---|
AWS Access Key ID | Paste the access key from your IAM admin user |
AWS Secret Access Key | Paste the secret access key from your IAM admin user |
Default region name | Your preferred AWS region, e.g, us-east-1 or ap-south-1. |
Default output format | json |
The chosen nickname here is dev-admin. Now whenever we issue any command to AWS, we’ll use --profile dev-admin as the argument to let AWS know which credentials to use.
Confirm the profile is working by pinging AWS for your caller identity.
aws sts get-caller-identity --profile dev-adminA successful response returns your account ID, user ID, and ARN. If you see an error, double-check that your access keys were copied correctly.
The CDK needs a one-time staging area in your AWS account before it can deploy anything. This is called bootstrapping.
Run the bootstrap command from your project root.
bunx cdk bootstrap --app "bun run infra/app.ts" --profile dev-adminThis creates a CloudFormation stack named CDKToolkit in your account. The stack contains an S3 bucket and IAM roles that the AWS CDK uses internally to stage assets and perform deployments.
You will only ever run this once per AWS account and region.
Wait for the bootstrap to complete. You will see CloudFormation progress in the terminal. When it finishes, you are ready to deploy your application stacks.
The bootstrap bucket follows the naming pattern
cdk-hnb659fds-assets-[ACCOUNT-ID]-[REGION]. It is managed by CDK and you do
not need to interact with it directly.
Your Oolvay project ships with a ready-to-use infra/ directory. You do not need to write any CDK code. The blueprints are already there.
| File | Role |
|---|---|
cdk.json | Tells the CDK CLI to use Bun to execute the app |
app.ts | Entry point that instantiates your stacks |
stacks/core-stack.ts | Defines the core AWS infrastructure, including S3, CloudFront, and runtime IAM resources |
stacks/ses-stack.ts | Defines optional AWS SES email infrastructure |
Oolvay uses two completely separate sets of AWS credentials. It is important not to mix them up.
| Credential pair | Nickname | Used by | Stored in |
|---|---|---|---|
| IAM admin keys | dev-admin | You, in the terminal, to build infrastructure | ~/.aws/ on your machine only |
| Runtime app keys | (no profile) | Your Next.js server to read and write files | .env.local |
Never put your dev-admin keys in .env. Never use your runtime app keys to run CDK commands.
S3 is a private warehouse. Your Next.js server uploads files directly to it using the runtime app keys. The bucket itself is never exposed to the public internet.
CloudFront is the public-facing storefront. When a user’s browser loads an image, it talks to CloudFront, not S3 directly. CloudFront fetches the file from S3, caches it at an edge location near the user, and serves it. This keeps the bucket private while still delivering files fast.
| Service | Scope | Description |
|---|---|---|
| IAM | Global | Users and roles exist across all regions. |
| CloudFront | Global | Content is distributed to edge locations worldwide. |
| S3 | Regional | Your bucket lives in the configured AWS region. |
With the AWS CLI configured and CDK bootstrapped, you are ready to deploy the individual service stacks.