(aws-cloudfront): Using Distribution construct OAI is not associated from S3Origin
See original GitHub issueWhat is the problem?
Trying to implement a Cloudfront distribution to access a private website bucket. Using Distribution
construct with S3Origin
is not associating the distribution with the OAI. This makes impossible to access the private bucket.
Reproduction Steps
Using this code:
const bucket = new S3.Bucket(this, `${PREFIX}${props.stage}LandingPageBucket`, {
bucketName: `${PREFIX}-${props.stage}-${LANDING_PAGE_BUCKET_NAME_SUFFIX}`.toLowerCase(),
websiteIndexDocument: "index.html",
websiteErrorDocument: '404.html',
autoDeleteObjects: true,
publicReadAccess: false,
blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL,
removalPolicy: cdk.RemovalPolicy.DESTROY,
enforceSSL: true,
});
const cloudfrontOAI = new cf.OriginAccessIdentity(this, `${PREFIX}LandingPageCloudfrontOAI`, {
comment: `Cloudfront OAI for the landing page`
});
bucket.grantRead(cloudfrontOAI);
// Value exported from Global Stack. Ideally HostedZone.fromLookup() method should be used instead but
// cannot be used until this bug is solved: https://github.com/aws/aws-cdk/issues/4651
const rootHostedZoneId = cdk.Fn.importValue('RootHostedZoneId');
const rootHostedZone = r53.HostedZone.fromHostedZoneAttributes(this, `${PREFIX}RootHostedZone`, {
hostedZoneId: rootHostedZoneId,
zoneName: SITE_DOMAIN
});
const certificate = new acm.Certificate(this, `${PREFIX}LandingPageAcmCertificate`, {
domainName: SITE_DOMAIN,
subjectAlternativeNames: [`www.${SITE_DOMAIN}`],
validation: acm.CertificateValidation.fromDns(rootHostedZone)
});
const distribution = new cf.Distribution(this, `${PREFIX}${props.stage}LandingPageDistribution`, {
defaultBehavior: {
origin: new origins.S3Origin(bucket, {
originAccessIdentity: cloudfrontOAI
}),
viewerProtocolPolicy: cf.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
},
domainNames: [SITE_DOMAIN, `www.${SITE_DOMAIN}`],
certificate: certificate,
enableLogging: false,
comment: "Distribution for Vicinia's Landing page",
});
The distribution and the rest of the resources are created just fine, but the OAI is not associated to the Distribution provoking 403 forbidden errors.
Using exactly the same code as above but replacing the Distribution
construct by CloudFrontWebDistribution
works just as expected:
const distribution = new cf.CloudFrontWebDistribution(this, 'Distribution', {
originConfigs: [{
behaviors: [{
isDefaultBehavior: true,
compress: true,
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
}],
s3OriginSource: {
s3BucketSource: bucket,
originAccessIdentity: cloudfrontOAI,
},
}],
viewerCertificate: cf.ViewerCertificate.fromAcmCertificate(
certificate,
{
aliases: [SITE_DOMAIN, `www.${SITE_DOMAIN}`],
securityPolicy: cf.SecurityPolicyProtocol.TLS_V1_2_2021,
sslMethod: cf.SSLMethod.SNI,
},
),
comment: "Distribution for Vicinia's Landing page",
});
What did you expect to happen?
Distribution is created with the OAI associated.
What actually happened?
Distribution is created with no OAI associated.
CDK CLI Version
1.128
Framework Version
No response
Node.js Version
v14.18.0
OS
Windows 10
Language
Typescript
Language Version
3.9.10
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:6
- Comments:11 (4 by maintainers)
Top Results From Across the Web
Restricting access to an Amazon S3 origin - Amazon CloudFront
Before you create an origin access control (OAC) or set it up in a CloudFront distribution, make sure the OAC has permission to...
Read more >Using various origins with CloudFront distributions
When you create a distribution, you specify the origin where CloudFront sends ... access your content using CloudFront URLs, not by using Amazon...
Read more >Troubleshooting distribution issues - Amazon CloudFront
To use Amazon CloudFront with an Amazon S3 origin, you must sign up for both ... If your content is not publicly readable,...
Read more >Use your CloudFront distribution to restrict access to an ...
4. Select the S3 origin, and then choose Edit. 5. For S3 bucket access, select Yes use OAI (bucket can restrict access to...
Read more >Resolve Access Denied errors from a ... - Amazon AWS
I'm using an Amazon Simple Storage Service (Amazon S3) bucket as the origin of my Amazon CloudFront distribution. How can I troubleshoot 403 ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Not at all – the OAI works great for normal (non-website) bucket setups.
Redirection support and the ability of accessing the index document directly basically. It abstracts from a normal bucket behavior which is convenient.