I have been trying to set up a website of static web pages with SSL termination provided by CloudFront.
I set up the origin s3 bucket in the new ap-southeast-4 (Melbourne).
After all the setup when I try to access the web pages via the CloudFront distribution I get the error message:
<Error>
<Code>InvalidToken</Code>
<Message>The provided token is malformed or otherwise invalid.</Message>
<Token-0>****</Token-0>
<RequestId>****</RequestId>
<HostId>****</HostId>
</Error>
Going back to the first principles I seem to have isolated the problem to the region ap-southeast-4.
Currently, in production, we have existing CloudFront distributions that host files out of ap-southeast-2 (Sydney). This is odd so I created the 2 test CloudFront distributions with the simplest stack possible. One distribution points to a test s3 bucket in ap-southeast-4 (Melb) and the other to a test bucket in ap-southeast-2 (Syd).
The distribution pointing to ap-southeast-4 always returns the InvalidToken error while the distribution pointing to ap-southeast-2 works fine.
Any help in fixing this problem would be appreciated.
Do both your buckets, Sydney and Melbourne hosted, have same Bucket Policy to allow access from the distribution?
Can you compare the infra code used to deploy the Distribution and to create the Bucket? Please look closely for any differences in bucket permissions and policy, since that must allow access from the given Distribution to the bucket, for the serving to work.
Happy to help further if you share the code snippets.
Are you using OAI or OAC for CloudFront to access the S3 bucket? Does the origin domain configured in CloudFront for the S3 bucket include the region? ie. <yourbucket>.ap-southeast-4.amazonaws.com
I am using OAC for CloudFront access to both s3 buckets.
Checking the permissions on the two s3 buckets they are identical. Both have 'Block all public access' set to on. Also, I have double-checked the policy access JSON settings and confirmed that the strings match what the CloudFront OAC settings indicate they should be for each respective instance.
As far as I can tell the two CloudFront instances are identical and everything is set up correctly. I am still getting the error for the instance that accesses the s3 bucket in ap-southeast-4.amazonaws.com.