I have created an S3 and I uploaded files on the bucket successfully. Now, I am trying to make it work with CloudFront however it is giving me
IllegalLocationConstraintException
The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.
My S3 url is: http://my-bucket-name.s3.ap-east-1.amazonaws.com/assets/local/css/app.css (this returns me the file)
CloudFront is linked to the S3, and the url: https://id.cloudfront.net/assets/local/css/app.css (this returns me the IllegalLocationConstraintException)
In S3 bucket > Permissions >
"Block Public Access" is Off
"Bucket Policy" is auto-generated:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "######"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
What am I doing wrong?
Even when you auto-select the S3 in CloudFront as related bucket, you still need to put your location manually for making it work.
Update:
My issue was because my CloudFront origin was not in us-east, and when you auto-select your bucket's origin in CloudFront, it doesn't add the location prefix to the url. So make sure you add your s3 location like so:
bucketname.s3.ap-east-1.amazonaws.com
Go to your CloudFront dashboard and click on the distribution ID
Go to 'Origins and Origin Groups' tab
select your origin and click 'edit
edit 'Origin Domain Name' to match this format bucketname.s3.regioncode.amazonaws.com
save and wait for 'deployed' state
Related
I am new to AWS. I have a website and I would like to host my larger images on AWS. I have successfully created a bucket and can access that bucket via FTP but I do not know how to determine the URL for the contents of that bucket so I can reference the images on my website.
I have tried: https://bucketname.s3.amazonaws.com/imagename.jpg
and I have tried https://s3.amazonaws.com/bucketname/imagename.jpg
But I get errors on both.
What is the correct path?
Thank you.
Click on the bucket. Go to properties, scroll to the bottom, under 'static website hosting', click edit then enable.
Once saved, you will be provided with a 'bucket website endpoint' (i.e. a url to access your files).
Under the 'permissions' tab, you may also need to allow public access to the objects in the bucket by adding a bucket policy like this:
{
"Version": "2012-10-17",
"Id": "Policy1517754859350",
"Statement": [
{
"Sid": "AllowGetObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
}
]
}
AWS S3 objects can be accessed at https://{bucket}.s3.amazonaws.com/{key}.
You should have seen an error message in the webpage.
But before that, make sure that the object in the bucket is public. Go to the bucket, change the object to make it public.
But best option is to create a CloudFront distribution. Otherwise accessing S3 bucket directly is costly.
In addition to the other two answers posted, which helped move me in the right direction I was able to get more insights and discovered that the easiest way to provide read-only access to bucket assets is to set an ACL that is domain specific so that only requests that come from the designated URL will have read access to the contents of the bucket:
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://example.com/*"
}
}
}
]
}
The URL or path to the resources is provided in the Control Panel when you add objects to the bucket and is listed as the
Object URL
.
I'm trying to setup Cloudfront to give customers read access to private files in s3 using signed cookies. I'm however getting the error NoSuchBucket and strangely the cloudfront domain as the BucketName. During troubleshooting, I tried to eliminate any possible complication and have now a simple public s3 bucket called "abc" and can access a file I uploaded via http://abc.s3.eu-central-1.amazonaws.com/test.txt.
For the distribution, I also made it as simple as possible - I selected the s3 bucket, but left all other settings as default. The domain name is dxyz.cloudfront.net. The only other thing I did was to create a Origin access identity and added a bucket policy:
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EFG"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::abc/*"
}
]
}
EFG being the ID of the OAI.
The error is
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>
<BucketName>dxyz.cloudfront.net</BucketName>
<RequestId>F123</RequestId>
<HostId>random_characters</HostId>
</Error>
the bucket is setup eu-central-1 - just in case that matters.
Any ideas, any hints?
thanks
I had the same problem. Following Michael's suggestion in his comment I switch to legacy caching, and left everything default so only GET/HEAD were cached. Totally resolved the issue
I have an s3 bucket myBucket with two websites in it. First website is at root and the second one is in the folder abc. A CloudFront distribution has been configured on myBucket and its working successfully since an year. Here is the cloudfront access identity policy on the bucket.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::myBucket",
"arn:aws:s3:::myBucket/*"
]
}
]
}
Since the cloudfront identity has access to all the bucket its successfully serving the pages from the bucket folder myBucket/abc when accessed through https://myexample.com/abc/index.html but when refreshed its downloading a blank file with the name download. These two websites are linked and hence needed to keep them in the same bucket. Is there anyway how i can get rid of this download ? Also should i have to create another origin and the corresponding behavior to do this right ?
I have set up an AWS S3 bucket to host a static website with my own URL. All permissions on the bucket and the files inside are public. I confirmed this by opening the public link for the index.html page. When I type in my URL (ianpritchard.com), I get an internal server error. I put logging on the bucket, and see an access denied on my request. Does anyone have any idea why? I did set up A records in my hosted zone.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>xxx</RequestId>
<HostId> xxxx </HostId>
</Error>
The bucket policy is here -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxx/"
}
]
}
Problem with your setup is your IP is pointing to corporate IP instead of AWS.
There is a clean setup procedure given by AWS for hosting domains,
https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html
in 4 steps.
Before You Begin
Step 1: Register a Domain
Step 2: Create and Configure Buckets and Upload Data
Step 3: Add Alias Records for example.com and www.example.com
Step 4: Testing
Hope it helps.
You policy looks odd, resource should be xxx/* and principal should *:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"publicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::xxxx/*"]
}
]
}
See some example here
Not sure why/how you're able to get index.html, post your public link for the index.html page:
I am using CloudFront in combination with a S3-bucket.
When I access my CloudFront-domain (d4...cloudfront.net) directly, everything works fine and I can see my website + SSL-certificate.
But when I access my website-url, I get an 403 Forbidden-message (An Error Occurred While Attempting to Retrieve a Custom Error Document).
This is the error I get:
This is the response-header:
What I tried so far:
When I created the CloudFront-distribution, I selected "Origin Access Identity: Create a new Identity" and "Update Bucket Policy"
I added a Custom Error Page, which returns StatusCode 200 and /index.html as the respone page
My S3 bucket is not public, because I only want my CloudFront to access the S3-Bucket with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin
Access Identity ..."
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.../*"
}
]
}
You will want to setup Origin Access Identity. This allows you to keep your bucket private and only allow access thru CloudFront. This is very easy to setup. I have included two links to walk you thru the steps and to help you understand everything.
enter link description here
Serving Private Content through CloudFront
This StackOverflow Q/A will help you also. Review the answer by "Michael - sqlbot".
Relationship between Origin Access Identities and CloudFront Signed Urls