I am using CloudFront in combination with a S3-bucket.
When I access my CloudFront-domain (d4...cloudfront.net) directly, everything works fine and I can see my website + SSL-certificate.
But when I access my website-url, I get an 403 Forbidden-message (An Error Occurred While Attempting to Retrieve a Custom Error Document).
This is the error I get:
This is the response-header:
What I tried so far:
When I created the CloudFront-distribution, I selected "Origin Access Identity: Create a new Identity" and "Update Bucket Policy"
I added a Custom Error Page, which returns StatusCode 200 and /index.html as the respone page
My S3 bucket is not public, because I only want my CloudFront to access the S3-Bucket with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin
Access Identity ..."
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.../*"
}
]
}
You will want to setup Origin Access Identity. This allows you to keep your bucket private and only allow access thru CloudFront. This is very easy to setup. I have included two links to walk you thru the steps and to help you understand everything.
enter link description here
Serving Private Content through CloudFront
This StackOverflow Q/A will help you also. Review the answer by "Michael - sqlbot".
Relationship between Origin Access Identities and CloudFront Signed Urls
Related
I have a CloudFront distribution setup that points to an S3 bucket whose purpose is to host a website. Whenever I go to a nested page: /path1/path2, the page renders fine. If I refresh the page, I get presented with:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>89F25EB47DDA64D5</RequestId>
<HostId>Z2xAduhEswbdBqTB/cgCggm/jVG24dPZjy1GScs9ak0w95rF4I0SnDnJrUKHHQC</HostId>
</Error>
The website is hosted on a private S3 bucket that can only be accessed via an OAI, that has the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PolicyForCloudFrontPrivateContent",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1XXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX/*"
},
{
"Sid": "Enforce SSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX",
"arn:aws:s3:::frontend-bucket-XXXXXXXXXXXX/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
I've read a tonne of StackOverflow questions about people experiencing the same issue. Here's what I've tried so far (nothing worked):
Changed bucket name from <website bucket>.s3.us-west-2.amazonaws.com to <website bucket>.s3-website-us-west-2.amazonaws.com
Added custom responses for 404 & 403 error to return a 200 response, with a response page path of /index.html and 0 TTL. Instead of returning an AccessDenied XML formatted page, it returns blank pages.
I've added an invalidation to the /* paths
Again, whenever I hit the URL of nested pages path the first time it works fine. If I'm just hitting the base URL with no nested paths, I don't run into this issue at all. When I refresh that same page, that's when things break. What am I doing wrong?
This is not an issue with cloudfront or s3 as long as you have made the objects in the s3 bucket public and cloudfront is pointing right. This is a very common case when people try to host react based websites on the s3 bucket. This can be solved by multiple methods one of them are :-
While configuring your s3 bucket to be served as static website, just point the error document to index.html
I'm trying to setup Cloudfront to give customers read access to private files in s3 using signed cookies. I'm however getting the error NoSuchBucket and strangely the cloudfront domain as the BucketName. During troubleshooting, I tried to eliminate any possible complication and have now a simple public s3 bucket called "abc" and can access a file I uploaded via http://abc.s3.eu-central-1.amazonaws.com/test.txt.
For the distribution, I also made it as simple as possible - I selected the s3 bucket, but left all other settings as default. The domain name is dxyz.cloudfront.net. The only other thing I did was to create a Origin access identity and added a bucket policy:
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EFG"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::abc/*"
}
]
}
EFG being the ID of the OAI.
The error is
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>
<BucketName>dxyz.cloudfront.net</BucketName>
<RequestId>F123</RequestId>
<HostId>random_characters</HostId>
</Error>
the bucket is setup eu-central-1 - just in case that matters.
Any ideas, any hints?
thanks
I had the same problem. Following Michael's suggestion in his comment I switch to legacy caching, and left everything default so only GET/HEAD were cached. Totally resolved the issue
I'm receiving a 403 when I point my custom domain name 'example.com' to my CloudFront url 'xxx.cloudfront.net'.
If I go to the CloudFront URL directly everything works as expected, but when I try to access it through 'example.com' (which points to the same CloudFront url) I get the 403.
Am I missing some type of permissions setup in CloudFront somewhere?
Cloudfront is pulling from an S3 bucket with Static hosting enabled with the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::exampleBucket/*"
}
]
}
The answer to this was to provide the CNAME (Alternate Domain Names (CNAMEs)) in Cloudfront. Which solved the issue.
I have created an S3 and I uploaded files on the bucket successfully. Now, I am trying to make it work with CloudFront however it is giving me
IllegalLocationConstraintException
The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.
My S3 url is: http://my-bucket-name.s3.ap-east-1.amazonaws.com/assets/local/css/app.css (this returns me the file)
CloudFront is linked to the S3, and the url: https://id.cloudfront.net/assets/local/css/app.css (this returns me the IllegalLocationConstraintException)
In S3 bucket > Permissions >
"Block Public Access" is Off
"Bucket Policy" is auto-generated:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "######"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
What am I doing wrong?
Even when you auto-select the S3 in CloudFront as related bucket, you still need to put your location manually for making it work.
Update:
My issue was because my CloudFront origin was not in us-east, and when you auto-select your bucket's origin in CloudFront, it doesn't add the location prefix to the url. So make sure you add your s3 location like so:
bucketname.s3.ap-east-1.amazonaws.com
Go to your CloudFront dashboard and click on the distribution ID
Go to 'Origins and Origin Groups' tab
select your origin and click 'edit
edit 'Origin Domain Name' to match this format bucketname.s3.regioncode.amazonaws.com
save and wait for 'deployed' state
I created an S3 bucket, and set it up as a Static Website as instructed in http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html
Afterwards, the basic domain is returning a AccessDenied:
http://www.mydomain.com.s3-us-west-1.amazonaws.com/
However, my index page serves just fine:
http://www.mydomain.com.s3-us-west-1.amazonaws.com/index.html
So it isn't related to the permissions of the files in the bucket (those are public now)
I get the feeling that I am missing a piece that links http://www.mydomain.com.s3-us-west-1.amazonaws.com/ to http://www.mydomain.com.s3-us-west-1.amazonaws.com/index.html, yet the docs read as though the "Static Web Hosting" property should do it all as long as you specify the index.html and error.html.
My bucket policy is standard:
{
"Version": "2012-10-17",
"Id": "PublicBucketPolicy",
"Statement": [
{
"Sid": "Stmt1482880670019",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.mydomain.com/*"
}
]
}
Note: I didn't do the route 53 setup, because I want to direct my websites DNS CNAME to www.mydomain.com.s3-us-west-1.amazonaws.com once I see it working.
Your endpoint is wrong: www.mydomain.com.s3-eu-west-1.amazonaws.com
It looks like you configured your bucket in eu-west-1, but you are referencing us-west-1.
However, you are not using the correct URL for S3 web site. The URL must have "s3-website-" in the name like this example:
www.mydomain.com.s3-website-eu-west-1.amazonaws.com
Start over with this document and double check each step:
Setting up a Static Website Using a Custom Domain