Access Denied error on s3 with cloudfront
Question
I'm starting to build a infrastructure on AWS, the first step is to make a Cloud Front service work with two different S3 buckets (I'm uploading a simple index.html to each bucket). For that I've made the following yaml to deploy via Cloud Formation.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
UserBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: my-user-bucket
Tags:
- Key: description
Value: "User page files"
AdminBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: my-admin-bucket
Tags:
- Key: description
Value: "Admin page files"
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'origin identity'
UserBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-user-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Principal:
AWS:
Fn::Join:
- " "
-
- "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
-
!Ref CloudFrontOriginAccessIdentity
Resource:
- !Sub arn:aws:s3:::my-user-bucket/*
DependsOn:
- UserBucket
AdminBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-admin-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Principal:
AWS:
Fn::Join:
- " "
-
- "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
-
!Ref CloudFrontOriginAccessIdentity
Resource:
- !Sub arn:aws:s3:::my-admin-bucket/*
DependsOn:
- AdminBucket
PublicDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: my-user-bucket.s3.sa-east-1.amazonaws.com
Id: S3-my-user-bucket
S3OriginConfig:
OriginAccessIdentity:
'Fn::Join':
- ''
- - origin-access-identity/cloudfront/
- Ref: CloudFrontOriginAccessIdentity
- DomainName: my-admin-bucket.s3.sa-east-1.amazonaws.com
Id: S3-my-admin-bucket
S3OriginConfig:
OriginAccessIdentity:
'Fn::Join':
- ''
- - origin-access-identity/cloudfront/
- Ref: CloudFrontOriginAccessIdentity
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-user-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
CacheBehaviors:
- PathPattern: user/*
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-user-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
- PathPattern: admin/*
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-admin-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
DependsOn:
- UserBucketPolicy
- AdminBucketPolicy
As you can see I'm trying to redirect the requests for user and admin using the Cloud Front Distribution behavior configuration.
I'm able to access the index.html file at foobar.cloudfront.net , for me that means that the OAI is working fine. But both foobar.cloudfront.net/admin/index.html and foobar.cloudfront.net/user/index.html returns the error bellow, so I'm thinking that theres something wrong with the behavior and/or path:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>YRCKS4PAV9C11CR9</RequestId>
<HostId>N9d3NJLrwZY1bECeTmXoQqRuDljsgFQk3C9pt5AX2pZyI4BEhTMCvJDB1uUAaQ4zUlppbvQbyOs=</HostId>
</Error>
Any ideas of what is wrong?
1 answers
solution1
-1 2022-03-08 02:37:44
I believe you need to update your BucketPolicies to include both:
Action:
- 's3:GetObject'
- 's3:ListObjects'
and
Resource to be both:
"arn:aws:s3:::my-user-bucket/",
"arn:aws:s3:::my-user-bucket/*"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.