S3 Bucket principal set to OAI, but CloudFront cannot get object?

0
votes

I have setup a CloudFront distribution.

On the S3 bucket I have set Block all public access to OFF.

The bucket policy looks like this:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E*********3"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket name.....>/*"
        }
    ]
}

The CloudFront distribution origin is associated with the OAI specified in the bucket principal like shown above. To my understanding the bucket policy above should allow the CloudFront distribution to access the file since the origin is specified in CloudFront and its OAI matches the one shown in the bucket policy.

I'm thinking I need to modify the policy of the files in the bucket?

My goal is to only have CloudFront be able to read the file in the bucket and lock it down otherwise.

What do I need to change to achieve that?

1
amazon-s3amazon-cloudfront
Can you post your cloudfront origin config?jellycsc
Not sure what part? What I see under General?zumzum
docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/…jellycsc

1 Answers

0
votes

In my case I finally figured out what I was doing wrong. In the Origin Request I was not setting the authMethod correctly. I needed to set it to origin-access-identity.

    request.origin = {
        s3: {
            domainName: s3DomainName,
            region: region,
            authMethod: 'origin-access-identity',
            path: '',
            customHeaders: {}
        }
    };

After I did that, I was able to get files from S3 and also enable the Block all public access to ON.

So now the bucket is locked down and CloudFront can still get what it needs from it.