Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cloudfront Post Request Keeps giving 403

0

This is my cloudfront setup using Terraform.

locals {
  s3_origin_id             = "S3OriginId-for-${var.client_bucket_name}"
  s3_origin_access_control = "OriginAccessControl-for-${var.client_bucket_name}"
  apigw_origin_id          = "APIGatewayOriginId"
  apigw_domain_name        = element(split("://", var.apigw_domain_name), 1)
}

resource "aws_cloudfront_origin_access_control" "s3_origin_access_control" {
  name                              = local.s3_origin_access_control
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

resource "aws_cloudfront_distribution" "cdn" {
  origin {
    domain_name              = var.client_bucket_regional_domain_name
    origin_access_control_id = aws_cloudfront_origin_access_control.s3_origin_access_control.id
    origin_id                = local.s3_origin_id
  }

  origin {
    origin_id   = local.apigw_origin_id
    domain_name = local.apigw_domain_name
    origin_path = "/${var.api_stage}/upload_url"
    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  enabled = true
  default_cache_behavior {
    allowed_methods  = ["HEAD", "GET", "OPTIONS"]
    cached_methods   = ["HEAD", "GET", "OPTIONS"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

  ordered_cache_behavior {
    path_pattern     = "/api/upload-url"
    allowed_methods  = ["HEAD", "GET", "OPTIONS", "POST", "PATCH", "PUT", "DELETE"]
    cached_methods   = ["HEAD", "GET", "OPTIONS"]
    target_origin_id = local.apigw_origin_id

    cache_policy_id          = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
  }
  
  price_class = "PriceClass_100"

  restrictions {
    geo_restriction {
      restriction_type = "none"
      locations = []
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Error I get

From console

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
asked 2 years ago391 views
3 Answers
1

Looks like you are missing a trailing slash in path_pattern try to add a slash.

ordered_cache_behavior { path_pattern = "/api/upload-url/"

answered 2 years ago
EXPERT
reviewed 2 years ago
  • reemw
    2 years ago

    made the change, now at least the request goes to apigateway as this is what it returns in the response header

    Header
Value
content-type
application/json
content-length
23
connection
close
date
Thu, 13 Jun 2024 15:56:04 GMT
apigw-requestid
ZUB3MhdbDoEEJZw=
x-cache
Error from cloudfront
via
1.1 93fa84206c30dc35b459d2b796c3a09c.cloudfront.net (CloudFront)
x-amz-cf-pop
HEL51-P5
x-amz-cf-id
J3tKLbhlgI71qz4N1KlelVHkZmVmdEqMZz9EHuvFhk05UbZlIEXLew==
0

What is the error code after you updated the trailing slash? do you have logs enabled on API Gateway? If yes please share the logs.

Also based on your code I hope you have configured your API Gateway to handle request on "/${var.api_stage}/upload_url/api/upload-url/" and not on "/api/upload-url/"

Also if you can share the cache_policy and origin_request_policy, it might be relevant.

answered 2 years ago
  • reemw
    2 years ago

    i have access log turned on for api gateway, but it doesn't log these request but in the response header there apigatewayrequestid (check below) and i have configured the apigateway to accept post request on root so / and when i call it from postman it works (apigatewayid.execute-api.region.amazonaws.com/stage) stage being the name of the stage but ofc cloudfront is giving error 404 not found as for the caching policy it's manged caching policy so Managed-CachingDisabled and Managed-AllViewerExceptHostHeader

    Value
content-type
application/json
content-length
23
connection
close
date
Thu, 13 Jun 2024 15:56:04 GMT
apigw-requestid
ZUB3MhdbDoEEJZw=
x-cache
Error from cloudfront
via
1.1 93fa84206c30dc35b459d2b796c3a09c.cloudfront.net (CloudFront)
x-amz-cf-pop
HEL51-P5
x-amz-cf-id
J3tKLbhlgI71qz4N1KlelVHkZmVmdEqMZz9EHuvFhk05UbZlIEXLew==```
  • Nitin Bhadauria
    2 years ago

    I think you need to configure API Gateway to accept the POST requests on path "/api/upload-url/"

    also update the origin_path to "/" origin { origin_id = local.apigw_origin_id domain_name = local.apigw_domain_name origin_path = "/"

    That should fix the 404 issue

0

I think the other response is correct about the exact URL path shown in the test request in the screenshot, but to be sure, if the intent is to allow all URLs with that prefix, you'll additionally need a trailing * wildcard. For example, /api/upload-url/* or api/upload-url/* (the leading slash is not required but it is allowed).

The path pattern syntax is explained in detail in this documentation article, but the short version is that * matches zero or more characters and ? matches exactly one character: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesPathPattern

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content