AWS-通过CloudFront HTTPS分发访问S3存储桶时返回InvalidAccessKeyId [英] AWS - InvalidAccessKeyId returned when accessing S3 bucket via CloudFront HTTPS distribution
问题描述
上一个
当我尝试使用在 Route 53 中配置的别名导航到分发端点时,它总是返回 InvalidAccessKeyId 错误,并说tha t访问密钥不存在。密钥对于每个请求都始终相同,并且以 AKIA 为前缀。
我已经查看了 IAM 控制台,尚未创建任何用户。我相信只有2个角色是由AWS自动创建的。
顺便说一句,即使我禁用了自动更新 S3 存储桶策略在创建新的 CloudFront 分发时,我的存储桶策略将被自动修改,其中 Principal 字段设置为 AWS: ADIA ... 。我尝试用 CanonicalUser替换它:< CloudFront发行版正在使用的我的OAI> ,但它将恢复为 AWS: ADIA ... 几分钟后。
有人知道如何解决此无效的访问密钥错误吗?
更新
我创建了另一个 ap-southeast-1 中的 S3 存储桶,并通过允许 CloudFront执行完全相同的步骤自动生成存储桶策略,然后在 Route 53 控制台中配置别名设置。
下面是自动生成的存储桶策略。
然后,我将该策略复制并粘贴到原始的 ap-east-1 存储桶中,唯一的区别是在 AWS行中: ... ,但不允许我保存它,指出主体存在错误。
这是CloudFront和选择加入AWS区域。不幸的是,解决方法是将存储桶策略设置为允许公共访问(例如存储桶策略中的 Principal: * 之类的东西),或暂时仅使用其他区域
您也可以尝试向AWS支持投诉。客户的影响往往会更快地解决AWS错误...
Previous question on the same case.
After solving my previous issue, my AWS is set up with the following services.
S3bucket inap-east-1without static website hosting.CloudFrontHTTPS distribution with a SSL certificate requested fromACMinus-east-1.- Alias pointing to the
CloudFrontdistribution inRoute 53.
When I try navigating to the distribution endpoint using the alias configured in Route 53, it always returns InvalidAccessKeyId error, and saying that the access key does not exist. The key is always the same for every requests, and is prefixed with AKIA.
I have looked into my IAM console, no users have been created. There are only 2 roles which I believe was auto-created by AWS.
By the way, even if I disable auto-updating S3 bucket policy when creating new CloudFront distribution, my bucket policy will be modified automatically, where the Principal field is set to "AWS": "ADIA...". I have tried replacing it with "CanonicalUser": "<my OAI that the CloudFront distribution is using>", but it will be reverted to "AWS": "ADIA..." several minutes later.
Does anyone know how to tackle this invalid access key error?
Update
I have created another S3 bucket in ap-southeast-1 and carried out the exact same steps by allowing CloudFront generates bucket policy automatically, then configured alias settings in Route 53 console.
Below is the auto-generated bucket policy.
Then, I copy and paste that policy to my original ap-east-1 bucket, the only difference is in the line "AWS": "...", but it doesn't allow me to save it, stating that there is error in the principal.
This is a known issue with CloudFront and opt-in AWS regions. Unfortunately the workaround is to set your bucket policy to allow public access (something like "Principal": "*" in the bucket policy), or just use a different region for now.
You can also try complaining to AWS support. Customer impact tends to get aws bugs resolved more quickly...
这篇关于AWS-通过CloudFront HTTPS分发访问S3存储桶时返回InvalidAccessKeyId的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
