Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(cloudfront): explicit OAI for S3Origin doesn't work for cloudfront.

See original GitHub issue

General Issue

General Issue

The Question

When I try to associate OAI by passing the props in the S3Origin, it doesn’t work const s3Origin = new S3Origin(Bucket, {originAccessIdentity: oai}); While it works when no OAI is passed, A new OAI is created for the same bucket const s3Origin = new S3Origin(Bucket)

I create the OAI by using cloudfront.OriginAccessIdentity

const oai = new cloudfront.OriginAccessIdentity(this, 'OAI',{
   comment: "This is for OAI"
})

CDK CLI Version

1.126.0

Framework Version

No response

Node.js Version

No response

OS

Windows

Language

Typescript

Language Version

No response

Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
smguggencommented, Dec 27, 2021

Ah, no need, that explains it. The issue is here:

 public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
    if (!this.originAccessIdentity) {
      // Using a bucket from another stack creates a cyclic reference with
      // the bucket taking a dependency on the generated S3CanonicalUserId for the grant principal,
      // and the distribution having a dependency on the bucket's domain name.
      // Fix this by parenting the OAI in the bucket's stack when cross-stack usage is detected.
      const bucketStack = cdk.Stack.of(this.bucket);
      const bucketInDifferentStack = bucketStack !== cdk.Stack.of(scope);
      const oaiScope = bucketInDifferentStack ? bucketStack : scope;
      const oaiId = bucketInDifferentStack ? `${cdk.Names.uniqueId(scope)}S3Origin` : 'S3Origin';

      this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, {
        comment: `Identity for ${options.originId}`,
      });

      // Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
      // Only GetObject is needed to retrieve objects for the distribution.
      // This also excludes KMS permissions; currently, OAI only supports SSE-S3 for buckets.
      // Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
      this.bucket.addToResourcePolicy(new iam.PolicyStatement({
        resources: [this.bucket.arnForObjects('*')],
        actions: ['s3:GetObject'],
        principals: [this.originAccessIdentity.grantPrincipal],
      }));
    }
    return super.bind(scope, options);
  }

The OAI being added to the bucket policy is inside the if (!this.originAccessIdentity) closure, so adding a custom OAI means that that conditional returns false and the policy isn’t added to the bucket. Also note the comment in there that using grantRead adds overly permissive policies, so there’s an extra advantage to fixing this. I’ve submitted a pull request to fix this issue, but in the meantime explicitly granting the read like you did should fix the issue.

1reaction
peterwoodworthcommented, Dec 27, 2021

Thanks for taking a look at this and submitting a PR already @smguggen, it’s much appreciated 🙂

Will take a look at PR soon

Read more comments on GitHub >

github_iconTop Results From Across the Web

Resolve Access Denied errors from a ... - Amazon AWS
Confirm that there is no explicit "Deny" in the bucket policy for the s3:GetObject action · 1. Open your S3 bucket from the...
Read more >
AWS CloudFront access denied to S3 bucket - Stack Overflow
To assist with your question, I recreated the situation via: Created an Amazon S3 bucket with no Bucket Policy; Uploaded public.jpg and make ......
Read more >
Cloudfront Origin Access Identity (OAI): How to use it? - StormIT
CloudFront doesn't expose Amazon S3 URLs, but if your application serves any files ... CloudFront OAI works by first creating a CloudFront user/permission ......
Read more >
How to Preserve SPA route path in the browser using AWS ...
The bucket policy above explicitly allows my CloudFront OAI that I ... Come to think of it, when I enter my root domain...
Read more >
CloudFront S3 Archives - Jayendra's Cloud Certification Blog
CloudFront S3 Origin Access Identity - OAI ... Even though CloudFront does not expose the underlying S3 URL, it can be known to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(apigatewayv2): IAM Permissions not being created for Api Gateway to access http lambda integration

Next page

(aws-ecs): hanging on deleting a stack with ASG capacity provider