放大发布导致 AccessDenied 错误 [英] Amplify publish causes AccessDenied error

问题描述

我通过 amplify publish 将一个简单的 Web 应用程序部署到 S3.托管已启用 Cloudfront(我在设置托管时在放大中选择了 PROD 环境)并且我在 eu-central-1 区域工作.但是每当我尝试访问 Cloudfront URL 时，我都会收到一个 AccessDenied 错误.

我遵循了

I deploy a simple web app to S3 via amplify publish. The hosting has Cloudfront enabled (I selected the PROD environment in amplify while setting up hosting) and I'm working in the eu-central-1 region. But whenever I try to access the Cloudfront URL, I receive an AccessDenied error.

I followed a tutorial at https://medium.com/quasar-framework/creating-a-quasar-framework-application-with-aws-amplify-services-part-1-4-9a795f38e16d an the only thing I did differently was the region (tutorial uses us-east-1 while I use eu-central-1).

The config of S3 and Cloudfront was done by amplify and so should be working in theory:

Cloudfront:

• Origin Domain Name or Path: quasar-demo-hosting-bucket-dev.s3-eu-central-1.amazonaws.com (originally it was without the eu-central-1, but I added it manually after it didn't work).
• Origin ID: hostingS3Bucket
• Origin Type: S3 Origin

S3 Bucket Policy:

{
    "Version": "2012-10-17",
    "Id": "MyPolicy",
    "Statement": [
        {
            "Sid": "APIReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ********"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::quasar-demo-hosting-bucket-dev/*"
        }
    ]
}

Research showed me that Cloudfront can have temporary trouble to access S3 buckets in other regions. But I manually added the region to the origin in Cloudfront AND I have waited for 24h. I still get the "access denied".

I suspect this has something to do with the S3 bucket not being in the default us-east-1 region and amplify not setting up Cloudfront correctly in that case.

How can I get amplify to set the S3 bucket and Cloudfront up correctly so that I can access my website through the Cloudfront URL?

解决方案

Thanks for the additional information.

your S3 Bucket Policy looks Ok.

• Regarding Origin Domain name or Path, It is always S3 bucket appears in the drop down so no need to update it with region

• However there is one setting missing in your Cloudfront Origin.
  you need to select Restrict Bucket access to Yes

  As per AWS documentation
  If you want to require that users always access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs, click Yes. This is useful when you are using signed URLs or signed cookies to restrict access to your content. In the Help, see "Serving Private Content through CloudFront

• Now create new Identity or select Existing Identity

• Click on Create button to save Origin.

这篇关于放大发布导致 AccessDenied 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！