CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-cloudfront
veilupearl
veilupearl

Reputation: 929

Access denied for AWS CloudFront signed URL

I have set up the following information:

  1. Created an AWS S3 bucket and Uploaded some images into the particular folder
  2. Created an AWS CloudFront web distribution:
    • Origin Domain Name: Selected S3 bucket from the list
    • Restrict Bucket Access: Yes
    • Origin Access Identity: Selected existed Identity
    • Grant Read Permissions on Bucket: Yes, Update Bucket Policy

enter image description here

AccessDenied Access denied

I have got the signed URL from the above process like

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX

but I couldn't access the URL

Sample JSON for cloud front policy

{
    "Statement": [{
        "Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png",
        "Condition": {
            "DateLessThan": {
                "AWS:EpochTime": 1555021200
            },
            "IpAddress": {
                "AWS:SourceIp": "0.0.0.0/0"
            },
            "DateGreaterThan": {
                "AWS:EpochTime": 1554848400
            }
        }
    }]
}

Added CloudFront bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket_name"
        }
    ]
}

Upvotes: 2

Views: 2797

Answers (1)

James Dean
James Dean

Reputation: 4461

It looks like the AccessDenied error you're seeing has nothing to do with the steps you have mentioned, the Origin access identity it to allow CloudFront to access S3 using a special user using sigv4, using above steps, you'll see a allow statement added to the bucket policy.

If it's a error from S3, you'll see like 2 request ids, host and request Ids along with Access denied massage.

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX If you're seeing Access denied, the error is with CloudFront signed URL (restricted viewer access).

To see whats wrong with the generated CloudFront signed URL, try to base64 decode the policy value and see the Resource URL/expires etc are correct or not.

Upvotes: 1

Related Questions