- Newest
- Most votes
- Most comments
I just want to give an update. I was able to figure out the problem. It seems that the 404 failover was not taking place. In the response from origin group it had a 403 forbidden reply from "AmasonS3". Digging into that I found this nugget of information:
"If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors. Run the head-object AWS CLI command to check if an object exists in the bucket."
I was able to test that the 403 was from the S3 origin and not failing over by setting an additional origin group failover criteria to include a 403 response. This initially routed to my custom origin.
However, to ensure the correct reason for failing over was due to 404 and not a misconfigured permission, I added the s3:ListBucket permission , removed the 403 criteria, and the failover from s3 origin to custom origin on a 404 works correclty.
TL;DR -- Make sure CF has not only s3:GetObject permissions on the S3 origin bucket, but also s3:ListBucket permissions.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago