Access denied for AWS CloudFront signed URL

2
votes

I have set up the following information:

  1. Created an AWS S3 bucket and Uploaded some images into the particular folder
  2. Created an AWS CloudFront web distribution:
    • Origin Domain Name: Selected S3 bucket from the list
    • Restrict Bucket Access: Yes
    • Origin Access Identity: Selected existed Identity
    • Grant Read Permissions on Bucket: Yes, Update Bucket Policy

enter image description here

AccessDenied Access denied

I have got the signed URL from the above process like

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX

but I couldn't access the URL

Sample JSON for cloud front policy

{
    "Statement": [{
        "Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png",
        "Condition": {
            "DateLessThan": {
                "AWS:EpochTime": 1555021200
            },
            "IpAddress": {
                "AWS:SourceIp": "0.0.0.0/0"
            },
            "DateGreaterThan": {
                "AWS:EpochTime": 1554848400
            }
        }
    }]
}

Added CloudFront bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket_name"
        }
    ]
}
1
amazon-web-servicesamazon-s3amazon-cloudfront
Have you checked if the private key file is properly converted in order to create signed policy URL?r123
Please show the complete error.cementblocks
@r123 will checkdwayneJohn
That error looks like it might be coming from S3. check your S3 bucket policy to make sure there aren't any explicit denies, that the OAI policy was applied, and optionally add listBucket on the bucket arn e.g. arn:aws:s3:::bucket_name. If you only have getObject permission for a bucket and try to fetch and object that doesn't exist you will get a 403, but you will get a 404 if you have listBucket permissions.cementblocks
@cementblocks In bucket policy has permission to acces ListBucket, GetObject and PutObjectdwayneJohn

1 Answers

1
votes

It looks like the AccessDenied error you're seeing has nothing to do with the steps you have mentioned, the Origin access identity it to allow CloudFront to access S3 using a special user using sigv4, using above steps, you'll see a allow statement added to the bucket policy.

If it's a error from S3, you'll see like 2 request ids, host and request Ids along with Access denied massage.

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX If you're seeing Access denied, the error is with CloudFront signed URL (restricted viewer access).

To see whats wrong with the generated CloudFront signed URL, try to base64 decode the policy value and see the Resource URL/expires etc are correct or not.