Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(@aws-cdk/aws-cloudfront-origins): S3 OAI & bucket policy are not created for CloudFront Distribution
See original GitHub issueWhen I create a Cloudfront Distribution with a new S3 bucket which is not accessible to the public, I expect to get an OAI and an S3 Bucket Policy. This is however not automatically created. Not even when I create an OAI myself and add it to the distribution.
Am I just interpreting the docs wrong?
Reproduction Steps
Stack typescript code:
const frontendBucket = new s3.Bucket(this, 'TvmFrontendBucket', {
publicReadAccess: false,
removalPolicy: cdk.RemovalPolicy.DESTROY,
websiteIndexDocument: 'index.html',
});
const cloudfrontDistribution = new cloudfront.Distribution(this, 'TvmFrontendDistribution', {
defaultBehavior: {
origin: new origins.S3Origin(frontendBucket),
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
},
priceClass: PriceClass.PRICE_CLASS_100,
});
Cloudformation template generated:
TvmFrontendBucket18442A50:
Type: AWS::S3::Bucket
Properties:
WebsiteConfiguration:
IndexDocument: index.html
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: TvmFrontendStack/TvmFrontendBucket/Resource
TvmFrontendDistributionB85B3A99:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultCacheBehavior:
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
Compress: true
TargetOriginId: TvmFrontendStackTvmFrontendDistributionOrigin17DD10F8D
ViewerProtocolPolicy: redirect-to-https
Enabled: true
HttpVersion: http2
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginProtocolPolicy: http-only
OriginSSLProtocols:
- TLSv1.2
DomainName:
Fn::Select:
- 2
- Fn::Split:
- /
- Fn::GetAtt:
- TvmFrontendBucket18442A50
- WebsiteURL
Id: TvmFrontendStackTvmFrontendDistributionOrigin17DD10F8D
PriceClass: PriceClass_100
Metadata:
aws:cdk:path: TvmFrontendStack/TvmFrontendDistribution/Resource
What did you expect to happen?
I expected to get a S3 bucket, with a bucket policy granting access to the OAI attached to the Distribution origin.
What actually happened?
I got an S3 bucket and a Distribution origin, but the Distribution origin is not allowed to see the contents of the bucket and when I go to the Distribution URL, I get a 403 Forbidden page.
Environment
- CDK CLI Version : 1.96.0
- Framework Version: 1.96.0
- Node.js Version: 14.15.4
- OS : Windows 10
- Language (Version): TypeScript (3.9.7)
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @ebosveld ,
The
S3Originclass treats buckets differently when they are configured for website hosting. Per the docs:I guess what might not be obviously clear there is the implication of “configured to use the bucket as an HTTP server origin”. Origin access identities are only valid for S3 origins, not HTTP origins. If your bucket is configured for website hosting (i.e., has a
websiteIndexDocument) the implication is that it is intended to be directly accessible and doesn’t need specific bucket policies to be accessed.What I’d do in your situation is change your code to this:
This still means going to the root of the distribution will load
index.htmlfrom the bucket, and will treat the bucket as a bucket (rather than HTTP origin), meaning an OAI and bucket policy will be created.It would be great if the clarification above that setting websiteIndexDocument is what toggles isWebsite True/False could be added to the docs because the docs imply that isWebsite is a parameter to be set.