2

I have set up the following information:

  1. Created an AWS S3 bucket and Uploaded some images into the particular folder
  2. Created an AWS CloudFront web distribution:
    • Origin Domain Name: Selected S3 bucket from the list
    • Restrict Bucket Access: Yes
    • Origin Access Identity: Selected existed Identity
    • Grant Read Permissions on Bucket: Yes, Update Bucket Policy

enter image description here

AccessDenied Access denied

I have got the signed URL from the above process like

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX

but I couldn't access the URL

Sample JSON for cloud front policy

{ "Statement": [{ "Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png", "Condition": { "DateLessThan": { "AWS:EpochTime": 1555021200 }, "IpAddress": { "AWS:SourceIp": "0.0.0.0/0" }, "DateGreaterThan": { "AWS:EpochTime": 1554848400 } } }] }

Added CloudFront bucket policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX" }, "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::bucket_name/*" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucket_name" } ] }
Improve this question
10
  • Have you checked if the private key file is properly converted in order to create signed policy URL? Commented Apr 9, 2019 at 11:46
  • Please show the complete error. Commented Apr 9, 2019 at 17:38
  • @r123 will check Commented Apr 10, 2019 at 4:34
  • That error looks like it might be coming from S3. check your S3 bucket policy to make sure there aren't any explicit denies, that the OAI policy was applied, and optionally add listBucket on the bucket arn e.g. arn:aws:s3:::bucket_name. If you only have getObject permission for a bucket and try to fetch and object that doesn't exist you will get a 403, but you will get a 404 if you have listBucket permissions. Commented Apr 10, 2019 at 12:26
  • @cementblocks In bucket policy has permission to acces ListBucket, GetObject and PutObject Commented Apr 11, 2019 at 6:28

1 Answer 1

Reset to default
1

It looks like the AccessDenied error you're seeing has nothing to do with the steps you have mentioned, the Origin access identity it to allow CloudFront to access S3 using a special user using sigv4, using above steps, you'll see a allow statement added to the bucket policy.

If it's a error from S3, you'll see like 2 request ids, host and request Ids along with Access denied massage.

image.png?policy=xxxxx@signature=xxx@Key-Pair-Id=XXXXXXX If you're seeing Access denied, the error is with CloudFront signed URL (restricted viewer access).

To see whats wrong with the generated CloudFront signed URL, try to base64 decode the policy value and see the Resource URL/expires etc are correct or not.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Yes, I tried to decode the policy value the given date/time is not expired and resource URL also correct
hmm, possible to share a sample decode policy or response headers? I assume you also have the correct keypair-id (CloudFront not general AWS access key)
@dwayneJohn you say the resource URL is correct, but we have no way to confirm this without seeing an example. The resource must be the full URL the browser is requesting, including the scheme and exact hostname. Also the signed URL should not contain @ as you have shown -- the delimiter is &. These details are not trivial.
How to store the private key from the CloudFront parameter store?
You need to download the private key locally to use it in the code, btw, the resource url you mentioned and the url you're accessing doesn't match or it just an example ? Since you're accessing custom policy with CloudFront , try using wildcard to aviod typos.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.