4

I was using Cloud-Front to access files in my S3 bucket and update the files. I disable Cloud-Front now, however i cannot access those files directly through S3 now.

Also, when i try to set permissions on items in the bucket i receive a message that access was denied. I don't have such problem with items updated directly through S3.

How can i enable access to files in my bucket directly though s3?

Improve this question
4
  • Can you provide more information to help us assist you? eg... Are you trying to access the objects using your root credentials or an IAM user? If IAM, does the User have full S3 permissions? If you click on the object in the S3 Management Console, what appears in the Permissions tab? How are you trying to access the files (via console?). Are you using the URL displayed in the Properties panel, or are you using "Open" from the Actions menu? Commented Jan 19, 2015 at 7:56
  • 1
    I have the same problem. There is CloudFront identity which has Put and Post access to S3 and if any file is uploaded through that identity, then nobody is able to access it. Not from S3 console by the root account nor from any kind of API not using another CloudFront identity. Only and only by the same cloudFront identity. Commented Jul 13, 2015 at 13:02
  • @mohamnag did you ever find a solution to this problem? If so, could you please share it? Commented Aug 23, 2016 at 19:07
  • @WaylonFlinn I gave up on access controlling my uploads using CF and now I'm using S3 for this sake. It gives much more control and there is also an ACL option that you set which will define who can access the uploaded item. Commented Aug 24, 2016 at 9:52

3 Answers 3

Reset to default
11

I had the same problem: Files created with Origin Access Identity weren't readable by the host account (or any user accounts) and couldn't be accessed via CLI, Lambda or the Console.

Solution

My solution was to set a header on the client request that allows control of the files by the bucket owner.

x-amz-acl=bucket-owner-full-control

This shouldn't require changes to your Cloudfront distribution. All x-amz-* headers should be passed through automatically.

I complemented this solution with a bucket policy that requires this header. So, people can't hack my client and upload files that I can't manage. The following is added to the policy statement object allowing s3:PutObject by the Origin Access Identity:

"Condition": { "StringEquals": { "s3:x-amz-acl": [ "bucket-owner-full-control" ] } }

Explanation

The cause is described in Managing Access with ACLs.

For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

The only way I found to manage ACLs created by the Origin Access Identity is to set the x-amz-acl header at object creation time.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

this effect can also be achieved using signed policies inside URL, that gives even more options and you always need a signed URL (which should be created on a secure server out of end users' reach) and nobody will be able to upload anything except you allowing them.
Today, you can use Lambda@Edge to inject his header. Of course, it was not available at the time the answer was written, so +1.
@Ali thanks. I may revisit this answer if I get a chance to try out your suggestion. Feel free to supply another answer, too!
@WaylonFlinn "Feel free to supply another answer, too!" - I did, also with a little code snippet. Thanks again for your answer, it was very helpful!
2

An alternative to Waylon Flinn's answer is to add / overwrite the x-amz-acl header in a Lambda@Edge function. Something along these lines in nodejs:

exports.handler = (event, context, callback) => { const { request } = event.Records[0].cf; const { headers } = request; headers['x-amz-acl'] = [{key: 'x-amz-acl', value: 'bucket-owner-full-control'}]; callback(null, request); };

The advantage is that you no longer need that policy Waylon writes in his answer since you always set the x-amz-acl header yourself in your own trusted environment. The downside is that Lambda@Edge comes with its own complexity, quirks, and extra costs. It is up to you to decide which approach is better for your use case.

Lambda@Edge was not available at all when Waylon wrote his answer back in 2016. It became generally available on Jul 17, 2017 (almost an year later): Lambda@Edge now Generally Available.

Improve this answer

Comments

-1

Having had the issue a couple of times. The solution is Creating a CloudFront Origin Access Identity and adding it to Your Distribution when creating CF.

Distribution->Streaming->Distribution Settings->Edit Restrict Bucket Access: Yes Origin Access Identity: Use existing (you may need to setup) Grant Read Permissions on Bucket: Yes Restrict Viewer Access (Use Signed URLs): Yes Trusted Signers: Self ... Used default for rest ...

I hope that helps

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.