I have a CloudFront distribution setup that points to an S3 bucket whose purpose is to host a website. Whenever I go to a nested page: /path1/path2, the page renders fine. If I refresh the page, I get presented with:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>89F25EB47DDA64D5</RequestId>
<HostId>Z2xAduhEswbdBqTB/cgCggm/jVG24dPZjy1GScs9ak0w95rF4I0SnDnJrUKHHQC</HostId>
</Error>
The website is hosted on a private S3 bucket that can only be accessed via an OAI, that has the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PolicyForCloudFrontPrivateContent",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1XXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX/*"
},
{
"Sid": "Enforce SSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX",
"arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
I've read a tonne of StackOverflow questions about people experiencing the same issue. Here's what I've tried so far (nothing worked):
Changed bucket name from <website bucket>.s3.us-west-2.amazonaws.com to <website bucket>.s3-website-us-west-2.amazonaws.com
Added custom responses for 404 & 403 error to return a 200 response, with a response page path of /index.html and 0 TTL. Instead of returning an AccessDenied XML formatted page, it returns blank pages.
I've added an invalidation to the /* paths
Again, whenever I hit the URL of nested pages path the first time it works fine. If I'm just hitting the base URL with no nested paths, I don't run into this issue at all. When I refresh that same page, that's when things break. What am I doing wrong?
This is not an issue with cloudfront or s3 as long as you have made the objects in the s3 bucket public and cloudfront is pointing right. This is a very common case when people try to host react based websites on the s3 bucket. This can be solved by multiple methods one of them are :-
While configuring your s3 bucket to be served as static website, just point the error document to index.html
Related
Hosting a static website on s3. Every page is working except for my error page. Do I need to redirect unknown links to my error page? I haven't seen anything on this.
Everything that I've seen/read says to add the error.html file to the S3 and then add it to the error document section.
My bucket is public and I have my json document added as well.
Policy i'm using-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*************/*"
}
]
}
Error I'm getting
I tried http://karma-environmental-services.s3-website-us-east-1.amazonaws.com/test
It seems that your browser was cached.
I am new to AWS. I have a website and I would like to host my larger images on AWS. I have successfully created a bucket and can access that bucket via FTP but I do not know how to determine the URL for the contents of that bucket so I can reference the images on my website.
I have tried: https://bucketname.s3.amazonaws.com/imagename.jpg
and I have tried https://s3.amazonaws.com/bucketname/imagename.jpg
But I get errors on both.
What is the correct path?
Thank you.
Click on the bucket. Go to properties, scroll to the bottom, under 'static website hosting', click edit then enable.
Once saved, you will be provided with a 'bucket website endpoint' (i.e. a url to access your files).
Under the 'permissions' tab, you may also need to allow public access to the objects in the bucket by adding a bucket policy like this:
{
"Version": "2012-10-17",
"Id": "Policy1517754859350",
"Statement": [
{
"Sid": "AllowGetObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
}
]
}
AWS S3 objects can be accessed at https://{bucket}.s3.amazonaws.com/{key}.
You should have seen an error message in the webpage.
But before that, make sure that the object in the bucket is public. Go to the bucket, change the object to make it public.
But best option is to create a CloudFront distribution. Otherwise accessing S3 bucket directly is costly.
In addition to the other two answers posted, which helped move me in the right direction I was able to get more insights and discovered that the easiest way to provide read-only access to bucket assets is to set an ACL that is domain specific so that only requests that come from the designated URL will have read access to the contents of the bucket:
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://example.com/*"
}
}
}
]
}
The URL or path to the resources is provided in the Control Panel when you add objects to the bucket and is listed as the
Object URL
.
I'm receiving a 403 when I point my custom domain name 'example.com' to my CloudFront url 'xxx.cloudfront.net'.
If I go to the CloudFront URL directly everything works as expected, but when I try to access it through 'example.com' (which points to the same CloudFront url) I get the 403.
Am I missing some type of permissions setup in CloudFront somewhere?
Cloudfront is pulling from an S3 bucket with Static hosting enabled with the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::exampleBucket/*"
}
]
}
The answer to this was to provide the CNAME (Alternate Domain Names (CNAMEs)) in Cloudfront. Which solved the issue.
I have an s3 bucket myBucket with two websites in it. First website is at root and the second one is in the folder abc. A CloudFront distribution has been configured on myBucket and its working successfully since an year. Here is the cloudfront access identity policy on the bucket.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::myBucket",
"arn:aws:s3:::myBucket/*"
]
}
]
}
Since the cloudfront identity has access to all the bucket its successfully serving the pages from the bucket folder myBucket/abc when accessed through https://myexample.com/abc/index.html but when refreshed its downloading a blank file with the name download. These two websites are linked and hence needed to keep them in the same bucket. Is there anyway how i can get rid of this download ? Also should i have to create another origin and the corresponding behavior to do this right ?
I have set up an AWS S3 bucket to host a static website with my own URL. All permissions on the bucket and the files inside are public. I confirmed this by opening the public link for the index.html page. When I type in my URL (ianpritchard.com), I get an internal server error. I put logging on the bucket, and see an access denied on my request. Does anyone have any idea why? I did set up A records in my hosted zone.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>xxx</RequestId>
<HostId> xxxx </HostId>
</Error>
The bucket policy is here -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxx/"
}
]
}
Problem with your setup is your IP is pointing to corporate IP instead of AWS.
There is a clean setup procedure given by AWS for hosting domains,
https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html
in 4 steps.
Before You Begin
Step 1: Register a Domain
Step 2: Create and Configure Buckets and Upload Data
Step 3: Add Alias Records for example.com and www.example.com
Step 4: Testing
Hope it helps.
You policy looks odd, resource should be xxx/* and principal should *:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"publicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::xxxx/*"]
}
]
}
See some example here
Not sure why/how you're able to get index.html, post your public link for the index.html page: