CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-cloudfrontaws-lambda-edge
rp346
rp346

Reputation: 7028

CloudFront origin-response return status: '403'

I have setup CloudFront with S3 origin to serve images from S3. Now Adding Lamnda@Edge for image conversion. which works based on status code (200 or 404)

But Cloudfront event for origin-response always has status: '403'

Here is the sample response (from event.Records[0].cf)

{
    config: {
        distributionDomainName: 'xxxx.cloudfront.net',
        distributionId: 'xxxxx',
        eventType: 'origin-response',
        requestId: 'YVAViQDNbJcmgRlZFEWjxS2xF5balXwR-Kkv8PN4jXRO4hEPksOaJg=='
    },
    request: {
        clientIp: '81.403.0.141',
        headers: {
            referer: [Array],
            'x-forwarded-for': [Array],
            'user-agent': [Array],
            via: [Array],
            pragma: [Array],
            'accept-encoding': [Array],
            host: [Array],
            'cache-control': [Array]
        },
        method: 'GET',
        origin: {
            s3: [Object]
        },
        querystring: '',
        uri: '/images/product/photo/photocell_white.webp'
    },
    response: {
        headers: {
            'x-amz-request-id': [Array],
            'x-amz-id-2': [Array],
            date: [Array],
            server: [Array],
            'content-type': [Array],
            'transfer-encoding': [Array]
        },
        status: '403',
        statusDescription: 'Forbidden'
    }
}

I have S3 bucket is publicly writable (I know its dangerous, but just to get this working).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::stage.domain.com/*"
        }
    ]
}

In CloudFront

Origin Domain Name : stage.domain.com.s3.amazonaws.com
Origin Path : /assets
Origin ID : S3-stage.domain.com

What is wrong here

Lambda Function : https://pastebin.com/raw/FNd59Tvn

Upvotes: 0

Views: 1018

Answers (1)

dCrux
dCrux

Reputation: 121

S3 returns 403 by design. s3 returns 403 when the access user does not have permissions to s3:ListBucket.

You can find out more here

You need to add this statement to your policy:

       {
            "Sid": "PublicListAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::stage.domain.com"
        }

WARNING

Make sure you understand the consequence of giving the public the ability to list all objects in your s3 bucket.

Upvotes: 3

Related Questions