- Newest
- Most votes
- Most comments
Your setup is nearly the same that I've used for a long time. One difference I noticed is that you've specified !GetAtt FrontendBucket.DomainName
for the origin's DomainName
. I use !GetAtt FrontendBucket.RegionalDomainName
instead, to match the regional hostname syntax in documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesDomainName. I'm not sure if that's the problem, but it does differ from documentation and my working setups.
A very tentative guess about what might be happening is that the global name syntax might otherwise work, but it would require the s3:GetBucketLocation
permission for CloudFront to determine the bucket's region, and that permission definitely isn't granted. It might not be granted on the CloudFront service account's side, either, though, so adding the permission in the bucket policy wouldn't necessarily fix it.
If your origin is an Amazon S3 bucket configured as a website endpoint, you must set it up with CloudFront as a custom origin. That means you can't use OAC (or OAI). OAC doesn't support origin redirect by using Lambda@Edge.
I think you have configured cloudfront distribution as S3 origin while you should configure it as custom origin for website
Please see this https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Right at the very top of the included template.yaml you can clearly see that the bucket is not setup as a website endpoint. Furthermore this doesn't address the problem of why it suddenly started working. I have no idea why one would bother with copy pasting such an answer as this.
Deepak Gupta thanks for taking the time to try to help.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Using RegionalDomainName makes the site accessible almost immediately. Makes sense that when pasting an s3 domain name (not regional) into the s3 aws console it's automatically converted into the regional form. Evidently I am accessing an edge location which hasn't got the s3 permissions setup correctly, but why does using RegionalDomainName fix that?
An S3 bucket is a regional resource. CloudFront and all other clients have to access its contents via an S3 endpoint in that region. The
RegionalDomainName
attribute returns the DNS name of the S3 endpoint where that bucket can be accessed directly, whileDomainName
points to a global S3 service endpoint where clients can go and ask which region a bucket is located in, only knowing its name, if they have thes3:GetBucketLocation
permission to the bucket. Even when permissions suffice, that incurs an extra round-trip to the global endpoint, so it's best to use the regional one directly.