拒绝访问云端分发 s3

Question

I'm uploading a website to S3 which I configured to be accessed via a cloudfront distribution.我正在将一个网站上传到 S3，我将其配置为通过云端分发进行访问。 When I access the distribution URL through in the browser I get:当我在浏览器中访问分发 URL 时，我得到：

<Error>
   <Code>AccessDenied</Code>
   <Message>Access Denied</Message>
   <RequestId>TKHNQGGSSHY3ZH6T</RequestId>
   <HostId>zXD7uBIpJUGHaUl8m5/9xtm2cnvX/Kok6rYp0oz6RFbqJeLreohaOWHx4jHJ/F675UGxo1SfEYs= 
   </HostId>
</Error>

This is my sam cloudformation tempalte snippet, I'm guessing there's some issue with the StockMonitorFeBucketPolicy.这是我的 sam cloudformation 模板片段，我猜 StockMonitorFeBucketPolicy 有一些问题。

##################### FRONTEND

  StockMonitorFeBucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Delete
    Properties:
      BucketName: osotnikov-stock-monitor-front-end-resources-s3-bucket
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  StockMonitorFeBucketDistributionOriginAccessIdentity:
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: This is the origin access identity (simply user).
  StockMonitorFeBucketDistribution:
    Type: 'AWS::CloudFront::Distribution'
    DependsOn:
      - StockMonitorFeBucket
      - StockMonitorFeBucketDistributionOriginAccessIdentity
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt
              - StockMonitorFeBucket
              - DomainName
            Id: StockMonitorFeBucketCloudFrontOrigin
            S3OriginConfig:
              OriginAccessIdentity: !Sub >-
                origin-access-identity/cloudfront/${StockMonitorFeBucketDistributionOriginAccessIdentity}
        Enabled: 'true'
        DefaultCacheBehavior:
          TargetOriginId: StockMonitorFeBucketCloudFrontOrigin
          ForwardedValues:
            QueryString: 'false'
          ViewerProtocolPolicy: allow-all
  StockMonitorFeBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - StockMonitorFeBucket
      - StockMonitorFeBucketDistributionOriginAccessIdentity
      - StockMonitorFeBucketDistribution
    Properties:
      Bucket: !Ref StockMonitorFeBucket
      PolicyDocument:
        Statement:
          - Sid: cloudFrontReadAccess
            Effect: Allow
            Principal:
              CanonicalUser: !GetAtt
                - StockMonitorFeBucketDistributionOriginAccessIdentity
                - S3CanonicalUserId
            Action: 's3:GetObject'
            Resource: >-
              arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*

This is the bucket policy that it added after deployment:这是它在部署后添加的存储桶策略：

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "cloudFrontReadAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1V8NTQPK5FD7P"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*"
        }
    ]
}

Alternatively I try:或者我尝试：

Properties:
      Bucket: !Ref StockMonitorFeBucket
      PolicyDocument:
        Statement:
          - Sid: cloudFrontReadAccess
            Effect: Allow
            Principal:
              AWS: !Join
                - ' '
                - - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
                - - !GetAtt [ StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId ]
            Action: 's3:GetObject'
            Resource: >-
              arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*

But then I get:但后来我得到：

 a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined.

I tried to change the principal to我试图将校长更改为

Principal: AWS: !Join [' ', ['arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity', !GetAtt [StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId]]]

But I get Invalid principal in policy error但是我在政策错误中得到无效的主体

Answer 1

There is nothing wrong with your template (I deployed it).您的模板没有任何问题（我部署了它）。 It works as expected.它按预期工作。 The only way to get AccessDenied in your case is due to lack of DefaultRootObject as index.html defined.在您的情况下获得AccessDenied的唯一方法是由于缺少定义为index.html的DefaultRootObject 。 Thus you have to explicitly add index.html to your cloudfront url, eg:因此，您必须明确地将index.html添加到云端 url，例如：

http://21342sfssgdf.cloudfront.net/index.html

Answer 2

I just changed the Principal to我刚刚将校长更改为

CanonicalUser: !GetAtt StockMonitorFeBucketDistributionOriginAccessIdentity.S3CanonicalUserId

and it worked... maybe it's because I'm using sam idk它起作用了……也许是因为我在使用 sam idk

拒绝访问云端分发 s3

问题描述

2 个解决方案

解决方案1
0 2023-01-08 04:58:09

解决方案2
0 2023-01-08 16:59:39

拒绝访问云端分发 s3

问题描述

2 个解决方案

解决方案1 0 2023-01-08 04:58:09

解决方案2 0 2023-01-08 16:59:39

解决方案1
0 2023-01-08 04:58:09

解决方案2
0 2023-01-08 16:59:39