(cloudfront): explicit OAI for S3Origin doesn't work for cloudfront.
See original GitHub issueGeneral Issue
General Issue
The Question
When I try to associate OAI by passing the props in the S3Origin
, it doesn’t work
const s3Origin = new S3Origin(Bucket, {originAccessIdentity: oai});
While it works when no OAI is passed, A new OAI is created for the same bucket
const s3Origin = new S3Origin(Bucket)
I create the OAI by using cloudfront.OriginAccessIdentity
const oai = new cloudfront.OriginAccessIdentity(this, 'OAI',{
comment: "This is for OAI"
})
CDK CLI Version
1.126.0
Framework Version
No response
Node.js Version
No response
OS
Windows
Language
Typescript
Language Version
No response
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Resolve Access Denied errors from a ... - Amazon AWS
Confirm that there is no explicit "Deny" in the bucket policy for the s3:GetObject action · 1. Open your S3 bucket from the...
Read more >AWS CloudFront access denied to S3 bucket - Stack Overflow
To assist with your question, I recreated the situation via: Created an Amazon S3 bucket with no Bucket Policy; Uploaded public.jpg and make ......
Read more >Cloudfront Origin Access Identity (OAI): How to use it? - StormIT
CloudFront doesn't expose Amazon S3 URLs, but if your application serves any files ... CloudFront OAI works by first creating a CloudFront user/permission ......
Read more >How to Preserve SPA route path in the browser using AWS ...
The bucket policy above explicitly allows my CloudFront OAI that I ... Come to think of it, when I enter my root domain...
Read more >CloudFront S3 Archives - Jayendra's Cloud Certification Blog
CloudFront S3 Origin Access Identity - OAI ... Even though CloudFront does not expose the underlying S3 URL, it can be known to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ah, no need, that explains it. The issue is here:
The OAI being added to the bucket policy is inside the
if (!this.originAccessIdentity)
closure, so adding a custom OAI means that that conditional returns false and the policy isn’t added to the bucket. Also note the comment in there that usinggrantRead
adds overly permissive policies, so there’s an extra advantage to fixing this. I’ve submitted a pull request to fix this issue, but in the meantime explicitly granting the read like you did should fix the issue.Thanks for taking a look at this and submitting a PR already @smguggen, it’s much appreciated 🙂
Will take a look at PR soon