'S3 CloudFront gives access denied error while accessing bucket files [closed]
throwing error
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>RZQ3ESJ8XBQ6CTF8</RequestId>
<HostId>ZudbCRcS6AyhCGtX6rJDQQcUILxLb/9DSmHf467GPqqmbbSKddCXxh36Y/S0/EaMBfbfO0YdqaI=</HostId>
</Error>
Want to access file of S3 itself.
amazon-web-services
amazon-s3Solution 1:[1]
What you posted there is not a bucket policy. I'm guessing that your bucket policy is actually empty.
If you want to access the file from CloudFront you have 2 options:
If you want to allow access from anywhere and not just CloudFront, you can add a bucket policy that allows GET to anyone (Principal: "*"):
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket name>/*"
}
]
}
Better option is to allow access only from the CloudFront, in which case you would allow GET only from the CloudFront user, by setting your bucket policy to:
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <put your OAI ID here>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket name>/*"
}
]
}
To add this second policy, you can actually set this option through CloudFront by checking "Yes use OAI (bucket can restrict access to only CloudFront)" in the S3 bucket access portion of the Origin setup. When you select that, you can also select the option that CloudFront updates your bucket policy, and then you won't have to worry about what is your OAI ID, because it will be automatically populated.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Caldazar |