I'm using an Amazon CloudFront distribution to display images in a browser. Why aren't the images loading?
Images can be blocked because of permission or configuration issues, or because of a 403 or 404 error.
To determine whether an error message is preventing the images from loading, open your browser's developer tools. On the Network tab, locate the network calls for the image request. In the response header for the request, check for a 404 or 403 error code.
If the value of Server is set to either an Amazon Simple Storage Service (Amazon S3) or custom origin server name, then the origin is returning the error code.
CloudFront doesn't have permission to access the Amazon S3 origin
If you have Origin Access Identity (OAI) configured in CloudFront to access images from an Amazon S3 Rest API endpoint, then confirm that the bucket has a bucket policy that grants OAI access to the content in the bucket. Without the policy, when a request is made from CloudFront, a 403: Access Denied error is returned and the image doesn't load.
To resolve this error, check your S3 bucket policy permissions.
The image doesn't exist in the S3 origin or custom origin
If the requested image file doesn't exist in the bucket or is placed in a different folder, then a 403 or 404 error is returned. The error that is returned depends on your S3 bucket permissions:
Behavior path pattern directs the request to an incorrect origin or folder
If your distribution has multiple behaviors with different path patterns, then the image might be directed to an incorrect origin or a folder where the file doesn't exist. In this case, you see a 404 error.
To resolve this error, review the behavior and path pattern for your distribution. Confirm that the request lands on the correct behavior matching the path pattern and is directed to the correct origin.
For example, in the following configuration, Behavior1 has the path pattern "test" that routes the request to the S3 origin. Behavior 2 has the path pattern "Default(*)" which routes the traffic to the Elastic Load Balancing (ELB) origin.
Behavior1: Path pattern = test ====> S3 origin
Default Behavior: Path pattern = Default (*)=====> ELB origin
When a request for “https://example.com/test/myimage.png” is made, the distribution matches the path with Behavior2's path pattern Default (*). The request doesn't match the Behavior1 path pattern test because there is no wildcard at the end of test. Without a wildcard, this request matches the path pattern for the default behavior and is directed to the ELB origin. Because the object doesn't exist in the ELB origin, the request will return a 404 error and the image won't load.
Behavior cache settings aren't configured for header, cookies, or query strings
The origin can require a certain header, cookies, or query strings to be passed in the request to serve the requested images. In this case, when a request is made using CloudFront, the images don't load. However, if the same request is made directly to the origin, the request is successful and the origin returns the requested resources.
To troubleshoot, determine if the origin requires certain headers, cookies, or query strings in order to process the request. Then, make sure the requirements are allowed in the Behavior cache settings.
Use an origin request policy to allow the values (headers, cookies, and query strings) that are included in requests that CloudFront sends to your origin. You can also use Legacy cache settings.
Metadata for image is not correctly set on the origin
If metadata for Content-Type in the origin isn't set to image/png, then the image will be downloaded instead of displaying in your browser.
To resolve this issue, check the Content-Type metadata. If needed, update the value to image/png for the images in an S3 or custom origin.
CORS error causes the images to not load
If the CORS configuration in CloudFront or the origin isn't set correctly, you receive the error: "No 'Access-Control-Allow-Origin' header is present on the requested resource."
To resolve this issue, confirm the CORS configuration is set up for both CloudFront and the origin. For more information, see How do I resolve the "No'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront?