- Newest
- Most votes
- Most comments
Hi,
Hope you are doing well!
From your post, I understand that you have configured CloudFront distribution with S3 bucket as origin to restrict viewer access and are using your NodeJS application to generate the signed URL to access the same.
Looking at the error screenshot that you have shared on the post, we can see that the response contains “RequestId” and “HostId”. This means that the HTTP 403 access denied error has been generated by your S3 bucket. Please note that both of these are S3 response headers and are only generated by S3 after it receives the request, validating that that the HTTP 403 access denied error has been generated by your S3 bucket. Since the error has been generated by the S3 bucket, we can say that the CloudFront signing mechanism that you have implemented is working as expected.
Now, looking at the snippet of S3 bucket policy that you have shared indicates that you have configured CloudFront origin access control (OAC). Hence, to troubleshoot this error, I would recommend you to check the following:
- Ensure that CloudFront OAC and its respective bucket policy is configured correctly
- Ensure that the object is owned by the same AWS account as the bucket owning account.
- Ensure that the object that you are trying to access exists in the S3 bucket configured as the origin.
You can refer to the following documents to get more information on troubleshooting HTTP 403 error on S3:
Troubleshoot Access Denied (403 Forbidden) errors in Amazon S3 - https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html
Restrict access to an Amazon Simple Storage Service origin - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Access Denied error with CloudFront and S3 - https://repost.aws/knowledge-center/s3-rest-api-cloudfront-error-403
Checking the above points and following the listed documents should help you overcome the problem that you have been facing. However, if you are still facing access denied error, we would require additional details that are non-public information to troubleshoot this problem. Please open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create
Have a great day ahead
Relevant content
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 7 months ago