By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloudfront CLI error when using template to generate Response Header policy (CreateResponseHeadersPolicy)

0

Hi,

I'm using the official cloudfront provided response yaml to generate a response header policy and it is not working, it gives an error:

"An error occurred (InconsistentQuantities) when calling the CreateResponseHeadersPolicy operation: The specified quantity of Allow Origin (0) does not match the actual quantity supplied (1)."

I am using the CLI option here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/creating-response-headers-policies.html and using the command

aws cloudfront create-response-headers-policy --generate-cli-skeleton yaml-input > response-headers-policy.yaml

I then edit the .yaml and try to generate (step 3) but i get an error

*I have tried with my edited template and the stock provided template (no modifications) but it still gives that error. * Can anyone provide insight?

Here is my edited template

ResponseHeadersPolicyConfig:  # [REQUIRED] Contains metadata about the response headers policy, and a set of configurations that specify the response headers.
  Comment: 'Custom Security Headers Policy'  # A comment to describe the response headers policy.
  Name: 'BlockXFrames-SecurityHeadersPolicy' # [REQUIRED] A name to identify the response headers policy.
  CorsConfig: # A configuration for a set of HTTP response headers that are used for cross-origin resource sharing (CORS).
    AccessControlAllowOrigins:  # [REQUIRED] A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header.
      Quantity: 0  # [REQUIRED] The number of origins in the list.
      Items: # [REQUIRED] The list of origins (domain names).
      - ''
    AccessControlAllowHeaders: # [REQUIRED] A list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header.
      Quantity: 0  # [REQUIRED] The number of HTTP header names in the list.
      Items: # [REQUIRED] The list of HTTP header names.
      - ''
    AccessControlAllowMethods: # [REQUIRED] A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.
      Quantity: 0  # [REQUIRED] The number of HTTP methods in the list.
      Items: # [REQUIRED] The list of HTTP methods.
      - POST
    AccessControlAllowCredentials: true # [REQUIRED] A Boolean that CloudFront uses as the value for the Access-Control-Allow-Credentials HTTP response header.
    AccessControlExposeHeaders: # A list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header.
      Quantity: 0  # [REQUIRED] The number of HTTP headers in the list.
      Items: # The list of HTTP headers.
      - ''
    AccessControlMaxAgeSec: 0 # A number that CloudFront uses as the value for the Access-Control-Max-Age HTTP response header.
    OriginOverride: true # [REQUIRED] A Boolean that determines whether CloudFront overrides HTTP response headers received from the origin with the ones specified in this response headers policy.
  SecurityHeadersConfig: # A configuration for a set of security-related HTTP response headers.
    XSSProtection:  # Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value.
      Override: false  # [REQUIRED] A Boolean that determines whether CloudFront overrides the X-XSS-Protection HTTP response header received from the origin with the one specified in this response headers policy.
      Protection: true # [REQUIRED] A Boolean that determines the value of the X-XSS-Protection HTTP response header.
      ModeBlock: true # A Boolean that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header.
      ReportUri: '' # A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header.
    FrameOptions: # Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value.
      Override: true  # [REQUIRED] A Boolean that determines whether CloudFront overrides the X-Frame-Options HTTP response header received from the origin with the one specified in this response headers policy.
      FrameOption: DENY # [REQUIRED] The value of the X-Frame-Options HTTP response header. Valid values are: DENY, SAMEORIGIN.
    ReferrerPolicy: # Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value.
      Override: false  # [REQUIRED] A Boolean that determines whether CloudFront overrides the Referrer-Policy HTTP response header received from the origin with the one specified in this response headers policy.
      ReferrerPolicy: strict-origin-when-cross-origin # [REQUIRED] The value of the Referrer-Policy HTTP response header. Valid values are: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url.
    ContentSecurityPolicy: # The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header.
      Override: true  # [REQUIRED] A Boolean that determines whether CloudFront overrides the Content-Security-Policy HTTP response header received from the origin with the one specified in this response headers policy.
      ContentSecurityPolicy: frame-ancestors 'none' # [REQUIRED] The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header.
    ContentTypeOptions: # Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff.
      Override: true  # [REQUIRED] A Boolean that determines whether CloudFront overrides the X-Content-Type-Options HTTP response header received from the origin with the one specified in this response headers policy.
    StrictTransportSecurity: # Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value.
      Override: false  # [REQUIRED] A Boolean that determines whether CloudFront overrides the Strict-Transport-Security HTTP response header received from the origin with the one specified in this response headers policy.
      IncludeSubdomains: true # A Boolean that determines whether CloudFront includes the includeSubDomains directive in the Strict-Transport-Security HTTP response header.
      Preload: true # A Boolean that determines whether CloudFront includes the preload directive in the Strict-Transport-Security HTTP response header.
      AccessControlMaxAgeSec: 31536000 # [REQUIRED] A number that CloudFront uses as the value for the max-age directive in the Strict-Transport-Security HTTP response header.
  CustomHeadersConfig: # A configuration for a set of custom HTTP response headers.
    Quantity: 0  # [REQUIRED] The number of HTTP response headers in the list.
    Items: # The list of HTTP response headers and their values.
    - Header: ''  # [REQUIRED] The HTTP response header name.
      Value: '' # [REQUIRED] The value for the HTTP response header.
      Override: true # [REQUIRED] A Boolean that determines whether CloudFront overrides a response header with the same name received from the origin with the header specified here.
  ServerTimingHeadersConfig: # A configuration for enabling the Server-Timing header in HTTP responses sent from CloudFront.
    Enabled: true  # [REQUIRED] A Boolean that determines whether CloudFront adds the Server-Timing header to HTTP responses that it sends in response to requests that match a cache behavior that's associated with this response headers policy.
    SamplingRate: 0.0 # A number 0–100 (inclusive) that specifies the percentage of responses that you want CloudFront to add the Server-Timing header to.
Topics
ComputeNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Website ProvisioningAmazon CloudFrontSecurity
Language
English
AWSKid2k
asked 2 years ago348 views
2 Answers
0

Hi AWSKid2k,

The error message you received indicates an inconsistency in the quantity of the "AccessControlAllowOrigins" field in your YAML input. According to the error message, the specified quantity is 0, but it expects a min quantity of 1.

To resolve this issue, you need to modify your YAML input to include at least one origin (domain name or *) in the "AccessControlAllowOrigins" field. You can do this by setting the "Quantity" to 1 to match the number of "Items" provided in the list and specifying a valid domain name. Alternatively you can disable exclude the CORSconfig part of the response policy as it is optional.

Make sure to update the other fields and values in the YAML input as needed for your response header policy. After modifying the YAML input, try creating the response headers policy using the AWS CLI command again by providing a valid value for"AccessControlAllowOrigins" and ensuring consistency in other fields, you should be able to create the response headers policy without encountering the "InconsistentQuantities" error[1].

Related information [1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/creating-response-headers-policies.html

AWS
Lebo_M
answered 9 months ago
0

Answering the question of: Cloudfront CLI error when using template to generate Response Header policy (CreateResponseHeadersPolicy)

With the information that was provided in the document, the error message is most likely related to the “AllowOrigin” field within the response headers of the YAML file. So the message is saying that the quantity for the AllowOrigin is 0 but the exact number is supposed to be 1. I believe there is some sort of mismatch between the YAML file and the correct number of values.

Some methods to try and resolve the issue: Make sure to evaluate and double-check the “AllowOrigin” field that is within your YAML file to ensure that the correct number of values are being specified. It’s possible that there is a typo or a major problem related to formatting options that is causing an overall issue. Another option is to try and remove the AllowOrigin from the file that contains the YAML file and generate response headers policy without it. https://portswigger.net/web-security/cors/access-control-allow-origin#:~:text=What%20is%20the%20Access%2DControl,permitted%20origin%20of%20the%20request.

AWS
rePost-User-1405645 koromaib
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content