无法通过S3访问通过CloudFront更新的文件 [英] Can't access through S3 to files updated through CloudFront

问题描述

我正在使用Cloud-Front来访问S3存储桶中的文件并更新文件。我现在禁用Cloud-Front，但是现在无法直接通过S3访问这些文件。

I was using Cloud-Front to access files in my S3 bucket and update the files. I disable Cloud-Front now, however i cannot access those files directly through S3 now.

此外，当我尝试对存储桶中的项目设置权限时，我收到一条消息，表明访问被拒绝。我对通过S3直接更新的商品没有这种问题。

Also, when i try to set permissions on items in the bucket i receive a message that access was denied. I don't have such problem with items updated directly through S3.

如何通过s3直接启用对存储桶中文件的访问？

How can i enable access to files in my bucket directly though s3?

推荐答案

我遇到了同样的问题：使用原始访问身份创建的文件无法被主机帐户（或任何用户帐户）读取，并且无法访问通过CLI，Lambda或控制台。

I had the same problem: Files created with Origin Access Identity weren't readable by the host account (or any user accounts) and couldn't be accessed via CLI, Lambda or the Console.

我的解决方案是在客户端请求上设置标头，以允许用户控制文件

My solution was to set a header on the client request that allows control of the files by the bucket owner.

x-amz-acl = bucket-owner-完全控制

这不需要更改您的Cloudfront发行版。所有 x-amz-* 标头都应自动传递。

This shouldn't require changes to your Cloudfront distribution. All x-amz-* headers should be passed through automatically.

我为此存储桶策略补充了该解决方案需要此标头。因此，人们无法破解我的客户端并上传我无法管理的文件。将以下内容添加到策略声明对象中，允许原始访问标识通过 s3：PutObject ：

I complemented this solution with a bucket policy that requires this header. So, people can't hack my client and upload files that I can't manage. The following is added to the policy statement object allowing s3:PutObject by the Origin Access Identity:

"Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": [
                        "bucket-owner-full-control"
                    ]
                }
            }

说明

使用ACL管理访问。

例如，如果存储桶拥有者允许其他AWS账户上传
对象，则这些对象的权限只能通过拥有对象的AWS账户使用对象
ACL进行管理。

For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

我发现要管理的唯一方法由Origin Access Identity创建的ACL将在对象创建时设置 x-amz-acl 标头ime。

The only way I found to manage ACLs created by the Origin Access Identity is to set the x-amz-acl header at object creation time.

这篇关于无法通过S3访问通过CloudFront更新的文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！