- Newest
- Most votes
- Most comments
Check that you have configured the signing behavior correctly for your Origin Access Control ID. Per the documentation, this should be set to "Always."
If you have accidentally set it to "Never" this will effectively turn off OAC and require the bucket to be publicly accessible.
Something worth fixing that might solve it if you're lucky is changing your policy's Version field to "2012-10-17".
As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html, "2008-10-17 - This was an earlier version of the policy language. You might see this version on older existing policies. Do not use this version for any new policies or when you update any existing policies. Newer features, such as policy variables, will not work with your policy."
If you're using KMS encryption, make sure that CloudFront has permission to use the key to decrypt the object(s).
You may need to add a statement to the KMS key policy - here is an example:
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS account ID>:root",
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::<AWS account ID>:distribution/<CloudFront distribution ID>"
}
}
}
From AWS console I am using:
Encryption key type Amazon S3 managed keys (SSE-S3)
I didn't see any keys when I went to the KMS service. Do I need to create a key for OAC to work?
One thing I notice is when I access an object URL(https://2023-05-12-at-website.s3.amazonaws.com/config.js) directly I get the same error message. This is expected, correct since I blocked public access?
That was the culprit!
After changing Signing Behavior from "Do not sign requests" to "Sign requests" I can now access the S3 website through the CloudFront distribution URL.
Relevant content
- asked 2 years ago
- asked a year ago
- asked 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Tried it. Unfortunately, no luck.