2

I am trying to build a website which the main area doesn't need authentication. But the subdomain requires user to login. I am trying to achieve it by using CloudFront stands in front of two S3 buckets. I have a lambda function I obtained online which would be inserted into one of the behavior.

As for the s3, I created two buckets, one is www.xxx.com.s3.amazonaws.com and the second one is www.xxx.com.relj.s3-website-us-east-1.amazonaws.com. Static website hosting are enabled on both buckets. Disabled Public access, and with bucket policy for main bucket is 

{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXCD2PW2IQU" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::www.xxx.com/*" } ]

}

Bucket policy for the other bucket is 

{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXCD2PW2IQU" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::www.xxx.com.relj/*" } ]

}

For my cloud front setup, I have two origin, www.xxx.com.s3.amazonaws.com and www.xxx.com.relj.s3-website-us-east-1.amazonaws.com. I setup three behavior, one is default, the other one is /, and the last one is relj/. Last one is pointing to www.xxx.com.relj.s3-website-us-east-1.amazonaws.com with lambda function attached.

when I access the main site, dXXjxu7k28es7y.cloudfront.net, I can see my website. But when I do dXXjxu7k28es7y.cloudfront.net/relj/index.html, I see the login prompt. After I put in the correct user name and password, it gives me 403. I tried even putting everything in relj bucket as public, I still can't access it through dXXjxu7k28es7y.cloudfront.net/relj/index.html. I am able to access it from https://s3.amazonaws.com/www.xxx.com.relj/index.html.

The response is 

403, Forbidden date: Sat, 27 Jan 2018 01:15:07 GMT x-amz-error-code: AccessDenied last-modified: Fri, 26 Jan 2018 22:23:50 GMT server: AmazonS3 etag: "b5aa4b118fdf2980dd7e4d7d81db9a08" x-amz-error-message: Access Denied content-type: text/html via: 1.1 bdfe34c94134f86b07ebb7714d12d095.cloudfront.net (CloudFront) x-cache: Error from cloudfront connection: keep-alive content-length: 51 x-amz-cf-id: hRebSOcNA38KGcXkA2LrzXftvqxaSB7ffVqbqcrWj0_2rQua9aQAkA==

I am new to aws so all these policies are new to me. From what I have seen, the lambda executed so it's reaching the url. I can provide more info. Thanks for reading.

Improve this question
10
  • It looks like you are trying to mix and match the S3 static web hosting feature with an Origin Access Identity, which does not work -- it's outside the design scope of S3's static web site hosting to support authenticated access. Note also that CloudFront is not returning this error. Server: Amazon S3, the x-amz-error-* and a text/html (not XML) error content indicate the 403 originates at an S3 web site endpoint. Exactly how to fix it will depend on exactly what you need to accomplish. Commented Jan 27, 2018 at 2:59
  • I would like to have two behavior and each hitting different s3 bucket. What is the best way to fix this? Thanks so much. Since I have one origin " www.xxx.com.s3.amazonaws.com" and the other "www.xxx.com.relj.s3-website-us-east-1.amazonaws.com", should I change the second one to "www.xxx.com.relj.s3.amazonaws.com"? Commented Jan 29, 2018 at 2:31
  • Turn on logging for your buckets and review the log a few minutes after generating the 404 error to see what S3 is logging. Commented Jan 29, 2018 at 2:34
  • I didn't get 404. 2018-01-29 03:01:53 MIA3-C1 602 96.246.34.205 GET dXXjxu8k28es7y.cloudfront.net /relj/index.html 403 - Mozilla/5.0%2520(Macintosh;%2520Intel%2520Mac%2520OS%2520X%252010_13_3)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/64.0.3282.119%2520Safari/537.36 - - Error bDL3zmAaF_CIiPhIhTvqH-32ovFkyDKV7K-X7XKa39fRgoebx1Inaw== dXXjxu8k28es7y.cloudfront.net http 466 0.001 - - - Error HTTP/1.1 The behavior Path Pattern is set as relj/*. Does it sound right? Thanks. Commented Jan 29, 2018 at 3:17
  • Sorry, typo, I intended to say 403. This is a CloudFront log. You want to look at the S3 log. Note that the URL requested by the browser is what will be sent to the bucket, regardless of path pattern, which is only used for routing -- it doesn't modify the request. Is the object key relj/index.html or just index.html? Commented Jan 29, 2018 at 3:40

1 Answer 1

Reset to default
4

Replying to this old post for those that follow:

in my case i had two s3 origins one of them i configured with default behaviour of qa/*

The problem I encountered was that the full path gets forwarded to the bucket by default e.g. requesting myurl.com/qa/xxx.html was forwarding a request for qa/xxx.html to my qa origin where i was only expecting the xxx.html to be forwarded

i moved my files into a qa folder on the second origin bucket for a quick fix

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, this confused me for a few hours, more details here stackoverflow.com/a/31574851/5560171
tnx @jdnz, interesting link. kr

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.