Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-cloudfront): Bucket policy permissions broke CloudFront integration

See original GitHub issue

After upgrading @aws-cdk/aws-cloudfront from v1.74.0 to v1.90.1 our CloudFront distribution was no longer able to access contents on the S3 bucket via OAI getting an AccessDenied error.

After doing some research I realized that the bucket policy changed from this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E11N7NL3KG1PGX"
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

to this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E11N7NL3KG1PGX"
            },
            "Action": [
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

Accessing the CloudFront URL from the root works fine https://123.cloudfront.net but the problem is when accessing a specific path like https://123.cloudfront.net/admin then it gives an AccessDenied error.

Reproduction Steps

Upgraded @aws-cdk/aws-cloudfront to v1.90.1

What did you expect to happen?

CloudFront distribution should be able to continue to access objects in the S3 bucket.

What actually happened?

Accessing CloudFront url now gives an Access Denied error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>YN2354KR1VQK4MM0</RequestId>
<HostId>sZTCl9TPf37VT6cR4ytu2kkd/86tZjTD9IOJx/2av/apAUxQm4KO04iXXd99dakJZre0FWLF9s0=</HostId>
</Error>

Environment

Framework Version: v1.90.1

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

2reactions

ferdinglercommented, Feb 26, 2021

Thanks for the quick response on this ticket @njlynch . Just in case anyone runs into this situation in the future, here is the change we have to make in our CloudFront distribution as per Nick’s suggestion:

const distribution = new cloudFront.CloudFrontWebDistribution(
      this,
      "CloudFrontDistribution",
      {
        errorConfigurations: [
          {
            errorCode: 404,
            responseCode: 200,
            responsePagePath: "/index.html",
          },
          {
            errorCode: 403, // this is the new addition due to the bucket policy returning 403
            responseCode: 200,
            responsePagePath: "/index.html",
          },
        ],
        originConfigs: [
          {
            s3OriginSource: {
              s3BucketSource: this.frontendBucket,
              originAccessIdentity: originAccess,
            },
          },
        ],
      }
    );

0reactions

github-actions[bot]commented, Feb 26, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.