![](/img/trans.png)
[英]Cloudformation template - S3 bucket website with cloudfront distribution - distribution can't access origin
[英]CloudFront distribution can't access S3 bucket for website static assets
这个问题跟上一个问题一样,我决定关闭它,因为代码改变了一点,这个问题不再反映我的实际情况。
我正在尝试部署一个托管我的 static 网站资产的 S3 存储桶和一个云端分发来访问它,但该分发仍然返回一个裸露的 csv 文件以显示“访问被拒绝”错误:
正如此文档页面在蓝色通知警报中所述,我没有将存储桶设为网站端点,这样我可以使用 OAC 来限制对其内容的访问。
奇怪的是,从 web 控制台检查分发来源时,我看到了这个蓝色警报,但可复制策略与我在给定链接的存储桶权限中找到的相同。
我在部署期间没有出错,所以这一定是一个愚蠢的配置错误,但自一周以来它一直让我头疼,我无法弄清楚出了什么问题。
由于 mi 网站资产是从不同的项目/管道上传到存储桶的,我按照本指南检查存储桶和 object 所有者是否不同但实际上对应:
> aws s3api list-buckets --query Owner.ID
"3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
> aws s3api list-objects --bucket my-test-bucket --prefix index.html
{
"Contents": [
{
"Key": "index.html",
"LastModified": "2023-01-20T11:05:38+00:00",
"ETag": "\"52f2df5ddf8c35391f3f15a7614def58\"",
"Size": 325,
"StorageClass": "STANDARD",
"Owner": {
"ID": "3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
}
}
]
}
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
Sid: PolicyForCloudFrontPrivateContent
Action: s3:GetObject
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
Resource: !Sub arn:aws:s3:::${AppBucket}/*
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- AppBucket
- DefaultCachePolicy
- DistributionOAC
Properties:
DistributionConfig:
Enabled: true
Origins:
- Id: AppBucket
DomainName: !GetAtt AppBucket.DomainName
OriginPath: /*
S3OriginConfig: {}
OriginAccessControlId: !Ref DistributionOAC
DefaultRootObject: index.html
DefaultCacheBehavior:
ViewerProtocolPolicy: redirect-to-https
TargetOriginId: AppBucket
CachePolicyId: !Ref DefaultCachePolicy
DistributionOAC:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: ExampleOAC
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
AppBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'test-spa-stack-bucket-app'
PublicAccessBlockConfiguration:
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : false
RestrictPublicBuckets : false
DefaultCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: test-cache-policy
DefaultTTL: 10
MaxTTL: 10
MinTTL: 1
ParametersInCacheKeyAndForwardedToOrigin:
CookiesConfig:
CookieBehavior: none
EnableAcceptEncodingBrotli: true
EnableAcceptEncodingGzip: true
HeadersConfig:
HeaderBehavior: none
QueryStringsConfig:
QueryStringBehavior: none
如果不使用遗留 OAI(无缘无故),您就不会有太多运气。
因此,在 Cloudfront 中创建 OAI 后,您可以将此策略用于目标 S3 存储桶:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity INSERT_OAI_NUMBER_HERE"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
}
]
}
在你这样做之后,它应该返回预期的内容。
如果它确实对你有用并且你开始问为什么,你最好找些更好的事情去做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.