0

I'm looking for a solution to update dynamically my S3 files ACLs and that it propagates instantly to Cloudfront.

So far I can update the ACL on S3 but if I set a file private it will still be accessible via Cloudfront publicly and the other way around.

I am using S3 PHP SDK to do so: Set file as public

$s3 = new S3($awsAccessKey, $awsSecretKey);
if (($acp = S3::getAccessControlPolicy($bucket, $uri)) !== false) {
   $acp["acl"][] = array(
        "type" => "Group", "uri" => "http://acs.amazonaws.com/groups/global/AllUsers",  "permission" => "READ"
   );
   if (S3::setAccessControlPolicy($bucket, $uri, $acp)) {
      echo "true";
   }
}

Set file as private

$s3 = new S3($awsAccessKey, $awsSecretKey);
if (($acp = S3::getAccessControlPolicy($bucket, $uri)) !== false) {
  foreach($acp['acl'] as $key => $val) {
    if(isset($val['uri']) && 
        $val['uri'] == 'http://acs.amazonaws.com/groups/global/AllUsers')
        unset($acp['acl'][$key]);        
  }
  if (S3::setAccessControlPolicy($bucket, $uri, $acp)) {
    echo "true";
  }
}

I have read that to update a file you have to send an invalidation request to Cloudfront: Force CloudFront distribution/file update

I haven't tried it but before I do it, I would like to know it this is the right solution. I've also read that it might take 15min to update. Isn't there any way to make it instantaneous?

Thanks!

Community
  • 1
  • 1
Tristan
  • 3,192
  • 3
  • 20
  • 32

1 Answers1

0

Actually, from looking at your source code, you're not using the S3 support in the official AWS SDK for PHP — you're probably using the Undesigned S3 class, which is maintained by a third-party developer. Just in case you didn't know. :)

Now, to your question:

Since CloudFront is a cache, it won't instantly pick up the changes you make in S3 until you clear that cache. So yes, the first step is to make your changes to the S3 object, and the second is to issue an invalidation request to CloudFront instructing it to clear the cache.

I've personally seen CloudFront take anywhere from 3-15 minutes to complete an invalidation. If you look at the list of CloudFront edge locations, I currently count 36 edge locations spread across North America, Europe, Asia/Pacific and South America. CloudFront has to go around to each and every edge location and make sure that the cache is cleared for the objects you're invalidating.

Isn't there any way to make it instantaneous?

At present? No.

I'm sure it moves as quickly as it can, though. :)

Ryan Parman
  • 6,855
  • 1
  • 29
  • 43
  • Thank you, I had figured it out meanwhile but I still find a pity that we can't edit the ACL directly to Cloudfront without having to issue an invalidation. – Tristan Oct 05 '12 at 11:55