Amazon Cloudfront with S3. Access Denied
Solution 1
If you're accessing the root of your CloudFront distribution, you need to set a default root object: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html
To specify a default root object using the CloudFront console:
Sign in to the AWS Management Console and open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/.
In the list of distributions in the top pane, select the distribution to update.
In the Distribution Details pane, on the General tab, click Edit.
-
In the Edit Distribution dialog box, in the Default Root Object field, enter the file name of the default root object.
Enter only the object name, for example,
index.html
. Do not add a / before the object name. To save your changes, click Yes, Edit.
Solution 2
I've just had the same issue and while Kousha's answer does solve the problem for index.html in the root path, my problem was also with sub-directories as I used those combined with index.html to get "pretty urls" (example.com/something/ rather than "ugly" example.com/something.html)
Partially it's Amazon's fault as well, because when you set up CloudFront distribution, it will offer you S3 buckets to choose from, but if you do choose one of those it will use the bucket URL rather than static website hosting URL as a backend.
So to fix the issue:
- Enable static website hosting for the bucket
- Set the Index (and perhaps Error) document appropriately
- Copy Endpoint URL - you can find it next to the above settings - It should look something like: <bucket.name>.s3-website-<aws-region>.amazonaws.com
- Use that URL as your CloudFront Distribution origin. (This will also make the CF Default Root Object setting unnecessary, but doesn't hurt to set it anyway)
UPDATE Jan '22: you can also fix this by keeping static hosting OFF and adding a CloudFront function to append index.html
. See this post on SO for more information. This allows you to use an OAI and keep the bucket private.
Solution 3
I had the same issue as @Cezz, though the solution would not work in my case.
As soon as static website hosting is enabled for the bucket, it means users can access the content either via the Cloudfront URL, or the S3 URL, which is not always desirable. For example, in my case, the Cloudfront distribution is SSL enabled, and users should not be able to access it over a non-SSL connection.
The solution I found was to:
- keep static website hosting disabled on the S3 bucket
- keep the Cloudfront distribution origin as an S3 ID
- set "Restrict Bucket Access" to "Yes" (and for ease, allow CloudFront to automatically update the bucket policy)
- on "Error Pages", create a custom response, and map error code "403: Forbidden" to the desired response page i.e. /index.html, with a response code of 200
Note though that in my case, I'm serving a single page javascript application where all paths are resolved by index.html. If you've paths that resolve to different objects in your S3 bucket, this will not work.
Solution 4
In my case I was using multiple origins with "Path Pattern" Behaviors along with an Origin Path in my S3 bucket:
Bad setup:
CloudFront Behavior:
/images/*
-> My-S3-origin
My-S3-origin:
Origin Path: /images
S3 files: /images/my-image.jpg
GET Request: /images/my-image.jpg -> 403
What was happening was the entire CloudFront GET request gets sent to the origin: /image/my-image.jpg
prefixed by Origin Path: /images
, so the request into S3 looks like /images/images/my-image.jpg
which doesn't exist.
Solution
remove Origin Path.
This allowed me to access the bucket with an origin access identity and bucket permissions and individual file permissions restricted.
Solution 5
My issue was that I had turned website hosting off and had to change the origin name from the website path to the normal non-website one. That had removed the origin access identity. I put that back and everything worked fine.
Related videos on Youtube
Jordan Adams
Updated on September 18, 2022Comments
-
Jordan Adams over 1 year
We're trying to distribute out S3 buckets via Cloudfront but for some reason the only response is an AccessDenied XML document like the following:
<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>89F25EB47DDA64D5</RequestId> <HostId>Z2xAduhEswbdBqTB/cgCggm/jVG24dPZjy1GScs9ak0w95rF4I0SnDnJrUKHHQC</HostId> </Error>
Here's the setting's we're using:
And here's the policy for the bucket
{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity *********" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::x***-logos/*" } ] }
-
Jordan Adams about 10 yearsCache Behavior Settings - imgur.com/JBZqrRm
-
Nathan C about 10 yearsMake sure Cloudfront can read from the S3 bucket.
-
Jordan Adams about 10 yearsHow would I enable or check this?
-
Nathan C about 10 yearsOrigin settings, last option. See your screenshot. :)
-
Jordan Adams about 10 yearsI think I tried this earlier and it didn't work but I've just changed it again and it's in the process of distributing. I'll add the bucket's policy to my post :)
-
Flup about 10 yearsHave you set permissions on the objects to 'Everyone' -> 'read/download'?
-
Jordan Adams about 10 yearsI have yeah. They can be accessed fine via their S3 link. Just not via Cloudfront
-
That1Guy over 9 yearsHave you found a solution to this?
-
Jordan Adams over 9 yearsI haven't no. We moved away from AWS when they attempted to stiff us out of a ridiculous $600 for using a custom domain on Cloudfront.
-
tedder42 over 9 years$600 is for a HTTPS domain if you need more coverage than SNI. In any case, the "origin domain name" needs to be the website URL, such as bucketname.s3-website-us-east-1.amazonaws.com.
-
mayankcpdixit over 4 yearsadd
/index.html
in your url & check?
-
-
Ivan over 6 yearsThis was really helpful, the forbidden message comes from S3 which I didn't realize at first, so you have to catch that with a custom error page so your SPA works.
-
Sai Ramachandran almost 6 yearsPerfect answer as of the date on this comment.
-
Günther Eberl over 5 yearsThat was it for me as well. I already had another website working and thought I configured the new one identically. So easy to overlook this.
-
Georges over 5 yearsYou also need to add public GetObject and ListObjects permissions to the bucket.
-
KurioZ7 almost 5 yearsIn my case, this setting has not resolved the issue. I am still getting Access Denied error
-
Ryan over 4 years@Georges how do you add public GetObject and ListObjects permissions to the bucket?
-
sledgeweight about 4 yearsoh god, why is this not in with any of the aws knowledge answers surrounding this topic! Thank you
-
thinkmassive almost 4 yearsOn a related note, I had a CloudFront Distribution with two origins: set Cloudfront to
/video/*
-> My-S3- -
Kaka Ruto almost 4 years@Ryan you can check here docs.aws.amazon.com/AmazonS3/latest/dev/…
-
Erik Aronesty almost 4 yearsYeah, that was it for me. The default bucket URL doesn't work well. Needs to say "custom origin". For more info see this post: forums.aws.amazon.com/message.jspa?messageID=314454
-
shearn89 over 2 yearsHi user2242291! Can you clarify how this builds on the other accepted answers?
-
zoltanctoth about 2 yearsFor me, the Alternative Domain configuration needed to be set to my domain name in the CloudFront configuration to resolve this issue.
-
AArias about 2 yearsThis works for spas (eg react apps) withouts exposing the s3 bucket. Thank you.
-
TommyLeong about 2 yearsWorks in my case after specifying
index.html
as default root object, thanks!