- Newest
- Most votes
- Most comments
Based on your answer to the question on the comment:
They have signed cookies and they were present during the request.
I believe you're using CloudFront signed cookies [1]. Some very common scenario for getting a 403 from CloudFront while using signed cookies is due to a wrong policy, this can be usually be:
- The protocol or resource on the cookie policy is not right/does not match - e.g. you create a signed cookie with a policy to allow the resource: https://domain.com/myfile.jpg, however the file being requested is https://domain.com/other-file.jpg, this will cause CloudFront to not allow the request - I would recommend to check the protocol (http Vs https) and/or resource on the policy Vs the actual file being requested (
myfile.jpgVsother-file.jpgor if using wildcardsfolder/*Vsother-folder/*). - Expiration - The expiration set on the cookie policy is now expired and so CloudFront will reject the request - Check the
CloudFront-Expires=on the cookie or theDateLessThanon the policy. - If other conditions are used on the cookie policy, like IPaddress, DateGreaterThan, [2] this can also cause CloudFront to reject the request if the IP set on the policy is different from the one used or if the time set to when the cookie starts to be valid have not yet arrived. This is common when you make a cookie to be valid only 1second after it was generated, but the request is still made within the same second the cookie was set.
So based on your answer to the comment by Paul_L, you are using signed URLs to CloudFront that you pass to an S3 origin.
If this is the case - then you need to check your CloudTrail and your S3 bucket logs and see why the credentials that your client used to generate the Signed URL is unable to access the S3 bucket.
Refer to using private content with CloudFront: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
Thank you all for quick response, finally I was able to understand whats causing the problem. Yes, its the cookies but I have signed cookies different for each page, one of parents page cookies are taking precedence to the child page, so its causing the cloudfront to fail. I added stricter path for the cookies, now seems fine.
Relevant content
- asked 2 years ago
- What might cause an "Access Denied" error when creating a cloudfront s3 Origin using cloudformation?Accepted Answerasked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
What is the actual response content from CloudFront? A 403 error indicates either CloudFront doesn't have permission to the S3 bucket, or the viewer hasn't presented a signed request/cookie to CloudFront where 'Restrict Viewer Access' is being used
This is the response from cloudfront. They have signed cookies and they were present during the request.
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access denied</Message></Error>