Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-cloudfront & aws-cloudfront-origins] Adding an existing bucket as an S3Origin

See original GitHub issue

❓ General Issue

Hello, @njlynch. I’ve been trying to use the new cloudformation.Distribution L2 constructor. I’m trying to replicate what aws-solutions-constructs is did with their L3 constructs while waiting for their official support/rewrite.

I’ve noticed that the new S3Origin construct in aws-cloudfront-origins creates OriginAccessIdentity under the hood for the cloudfront distro, but that OAI is not accessible (unless using hatch escape technique) to apply it to the existing (or brand new) s3 bucket through bucket policy. Should the new Distribution auto-magically try to update bucket policy and try to apply OAI to the provided s3 bucket? Is this in the works by any chance?

Or… perhaps if OAI should be exposed through S3Origin or Distribution constructs?

import * as s3 from '@aws-cdk/aws-s3';
import * as cloudfront from '@aws-cdk/aws-cloudfront';
import * as origins from '@aws-cdk/aws-cloudfront-origins';


    const s3LogBucket = s3.Bucket.fromBucketName(this, "logs-bucket", `log-bucket-${props.env.account}`);
    const contentBucket = s3.Bucket.fromBucketName(this, "static-bucket", `static-content-${props.env.account}`);

    const certificate = acm.Certificate.fromCertificateArn(

    const distro = new cloudfront.Distribution(this, "cf-distro", {
      defaultBehavior: {
        origin: new origins.S3Origin(contentBucket),
        allowedMethods: cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
      logBucket: s3LogBucket,
      logFilePrefix: `AWSLogs/${props.env.account}/cloudfront/`,
      defaultRootObject: "index.html",
      priceClass: cloudfront.PriceClass.PRICE_CLASS_100

Error I’m getting when trying to access the CF distro. image


  • CDK CLI Version: 1.59.0 (build 1d082f4)
  • Module Version: 1.59.0 (build 1d082f4)
  • Node.js Version: v14.8.0
  • OS: OSX Mojave
  • Language (Version): TypeScript (3.8.3)

Other information

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

njlynchcommented, Aug 20, 2020

Sure. I’ve opened #9859 to track the feature request. Pull requests welcome! Closing this issue out in favor of the feature request.

robertdcommented, Aug 19, 2020

@njlynch Upon further experimenting… I’ve noticed that if I’m creating new bucket from the scratch, CloudFront distribution will update bucket policies with newly created OAI information.

    Type: AWS::S3::BucketPolicy
        Ref: staticcontentbucket64C926A2
          - Action:
              - s3:GetObject*
              - s3:GetBucket*
              - s3:List*
            Effect: Allow
                  - cfdistroOrigin1S3OriginC04A5F28
                  - S3CanonicalUserId
              - Fn::GetAtt:
                  - staticcontentbucket64C926A2
                  - Arn
              - Fn::Join:
                  - ""
                  - - Fn::GetAtt:
                        - staticcontentbucket64C926A2
                        - Arn
                    - /*
        Version: "2012-10-17"

However, If I try and use existing bucket, no bucket policies are being added.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using various origins with CloudFront distributions
Adding CloudFront to an existing Amazon S3 bucket. If you store your objects in an Amazon S3 bucket, you can either have users...
Read more >
awscloudfrontorigins - Go Packages
This library contains convenience methods for defining origins for a CloudFront distribution. You can use this library to create origins from S3 buckets, ......
Read more >
Enable Origin Access Identity for Distributions with S3 Origin
Ensure that the Origin Access Identity (OAI) feature is enabled for all your Amazon CloudFront distributions that utilize an S3 bucket as an...
Read more >
Creating AWS CloudFront Distribution with S3 Origin - Medium
This blog has moved from Medium to All the latest content is available there. Subscribe to our newsletter to stay updated ...
Read more >
How to Set up an Amazon CloudFront Distribution ... - YouTube
Watch this AWS TechTips demo and learn how to set up a CloudFront ... to Set up an Amazon CloudFront Distribution for Your...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found