简体繁体 English

访问另一个帐户上传的文件时，Cloudfront 403错误

[英]Cloudfront 403 error while accessing files uploaded by another account

原文 2016-09-22 11:15:01 7 2 amazon-web-services/ file-upload/ amazon-s3/ amazon-cloudfront

I have a Cloudfront distribution which takes one of my s3 buckets as its origin server. 我有一个Cloudfront发行版，它将我的s3存储桶之一作为其原始服务器。 The files are uploaded to s3 by a third party attachment uploader. 这些文件由第三方附件上传器上传到s3。

When I try to access the file in s3 via cloudfront I am getting a 403 Forbidden error with an Access Denied XML (as below). 当我尝试通过cloudfront在s3中访问文件时，出现“ 403禁止访问”错误，并显示访问被拒绝XML（如下所示）。 But when I manually upload files to the s3 bucket I am able to access the file via cloudfront. 但是，当我手动将文件上传到s3存储桶时，我可以通过cloudfront访问该文件。

The permission for both the files are same except the owner of the file. 除文件所有者外，这两个文件的权限相同。 For the file uploaded by me manually the owner, of the file is my account and for the file uploaded by the uploader, it is the uploader. 对于由我手动上传的文件，文件所有者是我的帐户，对于由上传者上传的文件，它就是上传者。 The third party attachment uploader gives full access of the object to the bucket owner. 第三方附件上传器将对象的完整访问权限授予存储桶所有者。 Also, I have restricted bucket access but not viewer access. 另外，我限制了存储桶访问权限，但没有查看者访问权限。

What are the reasons which can cause this error? 可能导致此错误的原因是什么？ How do I go about debugging this? 我该如何调试呢？

2 个解决方案

When a second AWS account uploads content to an S3 bucket serving content via CloudFront with OAI, the uploaded file needs to have the OAI canonical ID added with the --grant read=id="OAI-canonical-ID" when the file is uploade; 当第二个AWS账户通过CloudFront使用OAI将内容上传到提供内容的S3存储桶时，上传的文件需要在上传文件时添加OAI规范ID并加上--grant read = id =“ OAI-canonical-ID” ; also add the S3 bucket owner as a grant full=id="BucketOwnerID". 还将S3存储桶所有者添加为授予full = id =“ BucketOwnerID”。 The aws cli was used to perform the uploaded. 使用aws cli执行上传。 Adjust according for the method that is used. 根据使用的方法进行调整。 When the file is viewed in the S3 bucket, the permissions will have CloudFront listed as a grantee. 在S3存储桶中查看文件时，该权限会将CloudFront列为受让人。 The file should be readable via CloudFront. 该文件应可通过CloudFront读取。

It is possible that the "Access Denied" response you are receiving is a response from S3 that is cached by CloudFront from before the object was available in S3. 您接收到的“访问被拒绝”响应很可能是来自S3的响应，该响应是CloudFront从该对象在S3中可用之前缓存的。

For example, if you try the CloudFront URL and the file does not exist in S3, then you'll get the "Access Denied" response. 例如，如果您尝试使用CloudFront URL并且S3中不存在该文件，则您将收到“拒绝访问”响应。 Even after uploading the file, CloudFront will have the "Access Denied" response cached until the end of the TTL. 即使上传文件后，CloudFront也会缓存“访问被拒绝”响应，直到TTL结束。 During this time, you will continue to receive the "Access Denied" response. 在此期间，您将继续收到“访问被拒绝”响应。

Try invalidating the distribution. 尝试使分布无效。 After that, request the file and see if you get the correct response. 之后，请求文件，看看是否得到正确的响应。

If this solves the problem, then you need to figure out how to avoid requesting the object from CloudFront before it exists in S3. 如果这解决了问题，那么您需要弄清楚如何避免在S3中存在对象之前从CloudFront请求该对象。