s3 和 cloudfront 上的静态托管问题 [OAI]
[英]Issue with static hosting on s3 and cloudfront [OAI]
问题描述
I created an s3 bucket, with static hosting enabled.
我创建了一个s3存储桶,启用了静态托管。 I created a cloudfront distribution with an access identity FOO .我创建了一个具有访问身份FOO的云端分发。
My goal is to have a cloudfront distribution that can access s3 (including paths) in order to serve a static website.我的目标是拥有一个可以访问 s3(包括路径)的云端发行版,以便为静态网站提供服务。
The policy on my bucket is:我的存储桶上的政策是:
{
"Version": "2012-10-17",
"Id": "...",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity FOO"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
I changed the origin name on the cloufront distribution to point to my s3 hosting address:我更改了 cloufront 发行版上的原始名称以指向我的 s3 托管地址:
my-bucket.s3-website-my-region-1.amazonaws.com
If I now visit the cloudfront address, I get Access Denied 403 .如果我现在访问云端地址,我会得到Access Denied 403 。
If I change the permissions of the index.html file on s3 in order to grant read and list permissions to everyone, then it all works.如果我更改 s3 上index.html文件的权限以授予每个人读取和列出权限,那么一切正常。
But, this feels like a hack, not to mention that I have to post-modify permissions after deploying and all.但是,这感觉像是一种 hack,更不用说我必须在部署后修改权限等等。
Is it possible to have static hosting on s3 that is only served through cloudfront with OAI?是否可以在 s3 上使用 OAI 仅通过云端提供静态托管?
2 个解决方案
解决方案1
0 2021-10-25 21:12:48
When using Amazon CloudFront to provide access to an Amazon S3 bucket using OAI, simply select the bucket in CloudFront rather than pointing to the website URL.使用 Amazon CloudFront 通过 OAI 提供对 Amazon S3 存储桶的访问时,只需在 CloudFront 中选择存储桶,而不是指向网站 URL。
The documentation says: "For Origin domain, select the bucket that you created."文档说:“对于 Origin 域,请选择您创建的存储桶。”
See: Use CloudFront to serve a static website hosted on Amazon S3请参阅: 使用 CloudFront 为托管在 Amazon S3 上的静态网站提供服务
If you want the root URL to default an index.html file, then you will need to configure this behaviour on the CloudFront Distribution rather than relying on S3 doing it for you.如果您希望根 URL 默认为index.html文件,那么您将需要在 CloudFront 分配上配置此行为,而不是依赖 S3 为您执行此操作。
See: Specifying a Default Root Object - Amazon CloudFront请参阅: 指定默认根对象 - Amazon CloudFront
解决方案2
0 2022-06-24 07:30:35
Along with s3:GetObject use listbucket permission as well then it works as expected与 s3:GetObject 一起使用 listbucket 权限,然后它按预期工作
{
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity FOO"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity FOO"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.