- Newest
- Most votes
- Most comments
Hi Gabriel
I work with CloudFront and S3 and I would like to assist you to resolve this issue.
Firstly, your use case is widely used, so there is nothing wrong there.
Generally , S3 returns a 403 when either the incorrect permissions are on the bucket, or you are trying to access a path/file that does not exist. Using OAI is also the best way to access S3 bucket, while keeping the bucket private.
So to do this, make sure your settings are as below:
S3 Bucket
- Make sure your origin is an S3 origin type, and not a custom origin. This will be for the static bucket and the media bucket.
- S3 Bucket Access, select your OAI, and let CloudFront update your bucket policy for you.
- Save the changes.
CloudFront
For the behavior, I am assuming your static site is on the root of the bucket. That is fine.
- Make sure the media content is in a folder and not the root of the bucket. Example: bucket-name/mediafolder/mediafile.mp4
- Create a bahavior, set the behavior path = /mediafolder/*
- For the Origin, select the S3 media bucket.
- Select your protocol and allowed methods.
- If you would like to cache the content, select the CachingOptimized policy, otherwise select the CachingDisabled policy.
- For the Origin request policy, select the CORS-S3Origin. But if you are not doing CORS requests, then you can leave this as None and save the behavior.
- Setup the default behavior for all other requests, mainly for your static bucket.
Please note that when using S3, the URL and behavior path needs to match the S3 folder structure. If your URL is https://example.com/media/mediafile.mp4, then there needs to be a folder structure like that. bucketname/media/mediafile.mp4.
Let me know if the above works. If not, we can dive a bit deeper.
You can place the media files in the same bucket as the web site, however, you add an additional Behavior to the CloudFront Distribution with a specific PathPattern like "*.mpeg" and use the CachingDisabled policy so that the videos are treated as dynamic content.
Hi kentrad, thank you for stopping by to help.
If we only had a static website I wouldn't see a problem on providing the media in the same bucket but the main problem we had doing it it's the media size. It isn't recommended (as far as I know) to store such big blob files in our GitHub repositories. It hugely increased our deploy and testing.
In the last case scenario we will update the bucket policy and make the content public, but I just want to be sure I covered every solution before going for this approach.
I don't understand why the media files would have to be stored in the same repository as your website code? Why not just copy the media files from their source into the same bucket where you deploy the website?
Hello Gabriel,
Full disclosure, I am not an S3 support engineer. I found the query interesting.
I am not sure if you have tried CORS yet. If not, you can find more details here:
[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html
Maybe try allowing your domain and the cloudfront's domain to access the secondary bucket and use the URL to the objects in your code?
"AllowedOrigins": [
"http://www.example1.com"
Please let me know if it works. If not, maybe I will try digging through a few documents.
Take care and stay safe !
Hi Harshavardhan_Gowda,
I did try configuring CORs policy. It was configured
[ { "AllowedHeaders": [], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposeHeaders": [] } ]
After your comment I tried to narrow down the AllowedOrigins to the specific URL but it didn't work.
I also tried using the AWS Referer approach as I saw here (https://repost.aws/questions/QU9AwgTuKjRgCD4FPOcNQTug/aws-s-3-file-access-only-allowed-when-coming-from-a-specific-domain):
"Condition":{ "StringLike":{"aws:Referer":["https://www.*.example.com/*","https://*.example.com/*"]} }
but it didn't work too.
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Thank you for the help BazzieB_AWS.
The main problem was my mindset. I tried configuring the Origin just like you guided me but I kept using the S3 URL instead of "translating" the path to my CloudFront URL.
After re-creating the origin and all the ruling, I managed to access the media from the CloudFront and the S3 URL is now blocked.
Thank you for the help.