拒绝对S3存储桶的AWS CloudFront访问 [英] AWS CloudFront access denied to S3 bucket
问题描述
我正在尝试设置 CloudFront 来提供托管在 S3 存储桶中的静态文件。我已经安装了发行版,但是尝试浏览CSS( /CSS/stlyle.css )文件时得到了 AccessDenied 在S3存储桶中:
I am trying to setup CloudFront to serve static files hosted in my S3 bucket. I have setup distribution but I get AccessDenied when trying to browse to the CSS (/CSS/stlyle.css) file inside S3 bucket:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>E193C9CDF4319589</RequestId>
<HostId>
xbU85maj87/jukYihXnADjXoa4j2AMLFx7t08vtWZ9SRVmU1Ijq6ry2RDAh4G1IGPIeZG9IbFZg=
</HostId>
</Error>
我已将CloudFront发行版设置为S3存储桶并创建了新的 Origin Access身份策略已自动添加到S3存储桶中:
I have set my CloudFront distribution to my S3 bucket and created new Origin Access Identity policy which was added automatically to the S3 bucket:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E21XQ8NAGWMBQQ"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myhost.com.cdn/*"
}
]
}
我错过了什么吗?
我希望通过CloudFront提供此S3存储桶中的所有文件...
I want all my files in this S3 bucket be served via CloudFront...
*更新*
此云战线指南说:
默认情况下,您的Amazon S3存储桶,其中的所有对象都是私有的-只有创建该存储桶的AWS账户才有权读取或写入其中的对象。如果要允许任何人使用CloudFront URL访问Amazon S3存储桶中的对象,则必须向对象授予公共读取权限。 (这是使用CloudFront和Amazon S3时最常见的错误之一。您必须显式授予Amazon S3存储桶中每个对象的特权。)
因此,基于此,我对S3存储桶中的所有对象都添加了新权限,以使每个人都可以读取/下载。现在,我可以访问文件了。
So based on this I have added new permissions to all objects inside S3 bucket to Everyone Read/Download. Now I can access files.
但是现在当我访问 https://d3u61axijg36on.cloudfront.net/css/style.css 这将被重定向到S3 URI和 HTTP 。如何禁用此功能?
But now when I access the file like https://d3u61axijg36on.cloudfront.net/css/style.css this is being redirected to S3 URI and HTTP. How do I disable this?
推荐答案
为解决您的问题,我通过以下方式重新创建了这种情况:
To assist with your question, I recreated the situation via:
- 创建了没有存储桶策略的 Amazon S3存储桶
- 已上载 public.jpg ,并通过公开将其公开。
- 上载 private.jpg 并将其设为私有
- 已创建一个Amazon CloudFront 网络分布:
- 原始域名:从列表中选择我的S3存储桶
- 限制存储桶访问:是
- 原始访问身份:创建新身份
- 授予对存储桶的读取权限:是,更新存储桶策略
- Created an Amazon S3 bucket with no Bucket Policy
- Uploaded public.jpg and make it public via "Make Public"
- Uploaded private.jpg and kept it private
- Created an Amazon CloudFront web distribution:
- Origin Domain Name: Selected my S3 bucket from the list
- Restrict Bucket Access: Yes
- Origin Access Identity: Create a New Identity
- Grant Read Permissions on Bucket: Yes, Update Bucket Policy
我检查了存储桶,CloudFront添加了与您类似的存储桶策略。
I checked the bucket, and CloudFront had added a Bucket Policy similar to yours.
该分发标记为
进行中一段时间。提示Enabled后,我通过xxx.cloudfront.netURL访问了文件:The distribution was marked as
In Progressfor a while. Once it saidEnabled, I accessed the files via thexxx.cloudfront.netURL:-
xxx.cloudfront.net/public.jpg重定向我到S3网址http://bucketname.s3.amazonaws.com/public.jpg。是的,我可以看到该文件,但不应使用重定向。 -
xxx.cloudfront.net/private.jpg<还对我进行了strong>重定向,但是随后我收到了访问被拒绝,因为它是S3中的私有文件。
xxx.cloudfront.net/public.jpgredirected me to the S3 URLhttp://bucketname.s3.amazonaws.com/public.jpg. Yes, I could see the file, but it should not use a redirect.xxx.cloudfront.net/private.jpgredirected me also, but I then receivedAccess Deniedbecause it is a private file in S3.
然后我做了一些研究,发现这很普遍。有些人通过将CloudFront分配指向静态托管网站URL 来使用变通办法,但是这样做的缺点是,它不能与Origin Access Identity一起使用,而且我还怀疑它不会收到免费的S3流量可以享受最优惠的价格。
I then did some research and found that this is quite a common occurrence. Some people use a workaround by pointing their CloudFront distribution to the static hosted website URL, but this has the disadvantage that it will not work with the Origin Access Identity and I also suspect it won't receive the 'free S3 traffic to the edge' discount.
所以,我等了一夜,今天早上进行了测试,一切正常。
So, I waited overnight, tested it this morning and everything is working fine.
底线:即使显示
ENABLED,事情也可能要花费几个小时(例如过夜)使自己正确。然后它将按文档所述工作。Bottom line: Even if it says
ENABLED, things might take several hours (eg overnight) to get themselves right. It will then work as documented.这篇关于拒绝对S3存储桶的AWS CloudFront访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
