This page covers provisioning and deploying the S3 bucket and CloudFront distribution that Oolvay uses for asset storage, and wiring the deployment outputs into your project.
Complete the steps in the Infrastructure page first. The AWS CLI profile and CDK bootstrap must be in place before running the commands on this page.
Run the deploy command from your project root.
bunx cdk deploy oolvay-infra-dev --app "bun run infra/app.ts" --profile dev-admin0 / 2,000 characters
Here, dev-admin is the profile we created in the Infrastructure page. If you used any other name, use that here instead. Because this step creates an IAM user with specific security-sensitive permissions, the terminal will ask for confirmation before proceeding. Type y when prompted.
S3 and IAM resources update in seconds, but CloudFront takes 3–7 minutes as AWS distributes your configuration to edge servers worldwide. Wait until you see the stack outputs before moving on.
AWS CDK appends a unique hash to resource names (for example, CoreInfrastructureStack-Dev-AppS3WorkerUser-A1B2C3D4), which prevents naming collisions across environments.
When the deployment finishes, the terminal prints the stack outputs. Copy those values. You will need them in the next step.
The values you need are:
| Output key | What it is |
|---|---|
| AWS region | The region your bucket was deployed to |
| S3 bucket name | The full name of your S3 bucket |
| AWS access key ID | Runtime app key to be used by your project server |
| AWS secret access key | Runtime app secret to be used by your project server |
| CloudFront URL | Your CloudFront distribution domain |
The AWS access key ID and AWS secret access key are the restricted runtime keys for the IAM user CDK created. These are not your dev-admin builder keys. Never put your dev-admin keys in .env.
Open .env.local and add the values from the terminal output.
# AWS Configuration
AWS_REGION=
AWS_S3_BUCKET_NAME=
# AWS Restricted App User Credentials
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
# AWS CloudFront
NEXT_PUBLIC_CLOUDFRONT_URL=No additional frontend configuration is required.
Oolvay automatically reads NEXT_PUBLIC_CLOUDFRONT_URL and configures both:
images.remotePatterns)img-src)Once you add the CloudFront URL to .env.local, file uploads and image serving will work automatically.
The path restriction /avatars/ means the browser will only load images from
that specific prefix. Adjust the path to match however your application
organises files inside the bucket.
Files uploaded by your users take the following path:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The bucket remains private and is not accessible from the public internet.This keeps the bucket locked down while still delivering files quickly to users anywhere in the world.
To tear down the S3 bucket and CloudFront distribution and return to a clean state, run:
bunx cdk destroy oolvay-infra-dev --app "bun run infra/app.ts" --profile dev-adminThis permanently deletes the S3 bucket and all files inside it. Do not run this against a production environment.