I have a bucket that has images uploaded with --acl public-read, so I can see the image when I use the s3 bucket link. However, when I use the CloudFront URL, it 307s. More strange is that my website is able to load the images, but not when I access it directly through the browser. How can I fix this? I am not even sure how to debug this.
Related
It may look a little strange that I want to upload file to S3 bucket through cloudfront, and access it with CloudFront.
And AWS declared that CloudFront support this putObject action according to
https://aws.amazon.com/blogs/aws/amazon-cloudfront-content-uploads-post-put-other-methods/
Now we have configured the CloudFront settings(Origin/Behavior) and S3 policy to complete this.
Only one block issue found that:
The uploaded file via CloudFront can't be accessed by any account or any roles. It's owner named "cf-host-credentials-global".
Just tried several ways to fix this issue, base on a quite simple solution:
CloudFront can access the S3 bucket(This s3 bucket is not public accesible.) with OAC which has putObject and getObject permission on it.
We can use a CloudFront URL mapping to S3 bucket origin for uploading a file.
Note: No signed CloudFront or signed S3 URL, but I also tested those cases actually.
We still always get such accessDenied issue, most of time it can be uploaded with the expected size and file name.
But it can't be downloaded or accesible.
I endeavor to fix this on this simple solution, but all of them are failed as below:
add x-amz-acl header, according to answer on stackoverflow
The file upload by CloudFront Origin Access Identity signed url can't be access by boto3 or IAM role?
I add the x-amz-acl header, but got this error with failed uploading:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>There were headers present in the request which were not signed</Message>
<HeadersNotSigned>x-amz-acl</HeadersNotSigned>
<RequestId>NDOLGKOGSF883</RequestId>
<HostId>CD9cDmGbSuk34Gy3mK2Znfdd9klmfew0s2dsflks3</HostId>
</Error>
Even use a pre-signed S3 url(put the x-amz-acl header in boto3 generate_presigned_url), it still the same error.
seems someone said x-amz-acl can be put into query parameter, then I have tried it in the URL(with signed URL and unsigned URL), it doesn't work anyway.
Pre-signed URLs and x-amz-acl
someone said we need to add x-amz-content-sha256 header in the client request, according to
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-origin-access-identity-signature-version-4
add x-amz-content-sha256 header, it can be uploaded successfully, but still failed with AccessDenied on that S3 Object uploaded.
add Content-MD5 header, it got the issue that header is not signed as above, and uploading failed.
Anyone has an idea about this? How to fix this AccessDenied issue?
Thanks in advance.
It looks like x-amz-acl header via OAC is not getting signed when the request is being sent from CloudFront to S3 bucket.
So if you insist on using OAC, there's only one way: change the "Object Ownership" to ACLs disabled in S3 bucket permissions.
And that works for me.
I have an S3 bucket and Cloud Front distribution to deliver assets (PDF files) to my site and CMS. I want users to be able to access the PDF, but
I noticed that if I use either the S3 or Could Front URLs that I can erase the file name (e.g., my-bucket.s3.amazonaws.com/file.pdf or cloudfront-domain-name/file.pdf) and see an XML tree of the S3 or Cloud Front that displays all the content (filenames of all the PDFs, and the S3 URL in the case of the CloudFront URL).
How can I prevent somebody from doing this?
make the bucket not open to public, the it wont list the contents in the bucket
How can I attach an S3 bucket to an URL on my site. I tried but could not get it to work.
For instance my URL is:
mysite.com/media
And my S3 bucket should be linked directly to the above URL?
You're going to want to use CloudFront in front of S3. This will allow you to use your domain and serve content from S3.
Check out Using CloudFront with Amazon S3 for details on how to do it.
I'm using CloudFront CDN to simply cache my static contents in "Origin Pull" mode. The CloudFront origin is my website.
However I've encountered a CORS problem. My browser doesn't let my web pages load my fonts files from CloudFront ... The ironic thing about it is that those fonts were fetched and cached from my website in the first place :(
After googling this matter a bit, I noticed that all blogs/tutorials explain how to enable CORS on an S3 bucket used as the origin for CloudFront, and letting CloudFront forward the Access-Control-Allow-XXX headers from S3 to the client.
I don't need an S3 bucket and would like to keep it that way for the sake of simplicity, if possible.
Is it possible to enable CORS on CloudFront ? Even a quick and dirty solution, such as setting the access control header on all responses would be good enough.
Or what other alternatives do I have on CloudFront ? If the easiest other alternative is indeed to use an S3 bucket, what are the drawbacks (modifications to do on my website, service performance, and cost) ?
I currently serve files on S3 that are private. I would like to serve files via Cloudfront but I keep getting an AccessDenied error. I have tried multiple combinations
With and without Cloud front key pairs
With and without AWS access keys
But nothing works. Do the files on my S3 bucket need to be publicly readable and then I just restrict access to them via Cloudfront by setting bucket policies?
Thanks
Yes. There is no inherent connection between S3 and CloudFront. From the perspective of S3, CloudFront is just another "user" trying to access the content. Therefore, the S3 bucket has to give permission to CloudFront to access the content. Keep in mind that there is no way to set permissions on the CloudFront distribution so your content will be publicly available that way.