- Mais recentes
- Mais votos
- Mais comentários
This is the CloudFormation template that I've used - it creates a CloudFront Origin Access Control identity to connect to the S3 bucket:
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Action: 's3:GetObject'
Effect: Allow
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
CloudFrontOriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Description: !Sub ${AWS::StackName} Origin Access Control
Name: !Ref AWS::StackName
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Comment: DistributionNameGoesHere
DefaultRootObject: index.html
Enabled: true
HttpVersion: http2
Origins:
- DomainName: !GetAtt S3Bucket.RegionalDomainName
Id: s3origin
OriginPath: /static
S3OriginConfig:
OriginAccessIdentity: ''
OriginAccessControlId: !GetAtt CloudFrontOriginAccessControl.Id
PriceClass: 'PriceClass_All'
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: s3origin
ViewerProtocolPolicy: redirect-to-https
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
Thanks for the help. I works if I change its origin type to S3 (the S3 regional endpoint) and attach an OAC to it.
But CloudFront console is warning me to switch to S3 website endpoint with the following message:
This S3 bucket has static web hosting enabled. If you plan to use this distribution as a website, we recommend using the S3 website endpoint rather than the bucket endpoint.
When I follow the suggestion, OAC is no longer working. Is there a way to grant access with the distribution origin configured as suggested S3 website endpoint or the CloudFront console is suggesting nonsense?
You don't need to enable website hosting in S3 to make this work. In my experience if you run this template it may take a little while for things to work correctly. If you deploy it and go to CloudFront and get "access denied" and the URL has changed to a S3 URL (rather than CloudFront) then just wait.
Here is a great official troubleshooting guide that you may find helpful. It describes how to troubleshoot the most common scenarios where a user receives a 403 error from a CloudFront distribution with an S3 website endpoint as the origin.
Thanks for the guide! Very helpful, but unable to find answers there.
Conteúdo relevante
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 3 meses
- AWS OFICIALAtualizada há um ano
Thank you both for the very helpful answer.
I finally figured out that I can only grant access to S3 website endpoint by enabling public access for S3 bucket.
A better way is to use S3 origin type, attach an OAC, and disable website hosting for S3 to suppress the warning.