[英]Access denied to cloudfront distribution s3
I'm uploading a website to S3 which I configured to be accessed via a cloudfront distribution.我正在将一个网站上传到 S3,我将其配置为通过云端分发进行访问。 When I access the distribution URL through in the browser I get:
当我在浏览器中访问分发 URL 时,我得到:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>TKHNQGGSSHY3ZH6T</RequestId>
<HostId>zXD7uBIpJUGHaUl8m5/9xtm2cnvX/Kok6rYp0oz6RFbqJeLreohaOWHx4jHJ/F675UGxo1SfEYs=
</HostId>
</Error>
This is my sam cloudformation tempalte snippet, I'm guessing there's some issue with the StockMonitorFeBucketPolicy.这是我的 sam cloudformation 模板片段,我猜 StockMonitorFeBucketPolicy 有一些问题。
##################### FRONTEND
StockMonitorFeBucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Delete
Properties:
BucketName: osotnikov-stock-monitor-front-end-resources-s3-bucket
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
StockMonitorFeBucketDistributionOriginAccessIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: This is the origin access identity (simply user).
StockMonitorFeBucketDistribution:
Type: 'AWS::CloudFront::Distribution'
DependsOn:
- StockMonitorFeBucket
- StockMonitorFeBucketDistributionOriginAccessIdentity
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt
- StockMonitorFeBucket
- DomainName
Id: StockMonitorFeBucketCloudFrontOrigin
S3OriginConfig:
OriginAccessIdentity: !Sub >-
origin-access-identity/cloudfront/${StockMonitorFeBucketDistributionOriginAccessIdentity}
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: StockMonitorFeBucketCloudFrontOrigin
ForwardedValues:
QueryString: 'false'
ViewerProtocolPolicy: allow-all
StockMonitorFeBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- StockMonitorFeBucket
- StockMonitorFeBucketDistributionOriginAccessIdentity
- StockMonitorFeBucketDistribution
Properties:
Bucket: !Ref StockMonitorFeBucket
PolicyDocument:
Statement:
- Sid: cloudFrontReadAccess
Effect: Allow
Principal:
CanonicalUser: !GetAtt
- StockMonitorFeBucketDistributionOriginAccessIdentity
- S3CanonicalUserId
Action: 's3:GetObject'
Resource: >-
arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*
This is the bucket policy that it added after deployment:这是它在部署后添加的存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "cloudFrontReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1V8NTQPK5FD7P"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*"
}
]
}
Alternatively I try:或者我尝试:
Properties:
Bucket: !Ref StockMonitorFeBucket
PolicyDocument:
Statement:
- Sid: cloudFrontReadAccess
Effect: Allow
Principal:
AWS: !Join
- ' '
- - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
- - !GetAtt [ StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId ]
Action: 's3:GetObject'
Resource: >-
arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*
But then I get:但后来我得到:
a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined.
I tried to change the principal to我试图将校长更改为
Principal: AWS: !Join [' ', ['arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity', !GetAtt [StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId]]]
But I get Invalid principal in policy error但是我在政策错误中得到无效的主体
There is nothing wrong with your template (I deployed it).您的模板没有任何问题(我部署了它)。 It works as expected.
它按预期工作。 The only way to get
AccessDenied
in your case is due to lack of DefaultRootObject as index.html
defined.在您的情况下获得
AccessDenied
的唯一方法是由于缺少定义为index.html
的DefaultRootObject 。 Thus you have to explicitly add index.html
to your cloudfront url, eg:因此,您必须明确地将
index.html
添加到云端 url,例如:
http://21342sfssgdf.cloudfront.net/index.html
I just changed the Principal to我刚刚将校长更改为
CanonicalUser: !GetAtt StockMonitorFeBucketDistributionOriginAccessIdentity.S3CanonicalUserId
and it worked... maybe it's because I'm using sam idk它起作用了……也许是因为我在使用 sam idk
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.