Cloudfront 403 error while accessing files uploaded by another account

Question

I have a Cloudfront distribution which takes one of my s3 buckets as its origin server. The files are uploaded to s3 by a third party attachment uploader.

When I try to access the file in s3 via cloudfront I am getting a 403 Forbidden error with an Access Denied XML (as below). But when I manually upload files to the s3 bucket I am able to access the file via cloudfront.

The permission for both the files are same except the owner of the file. For the file uploaded by me manually the owner, of the file is my account and for the file uploaded by the uploader, it is the uploader. The third party attachment uploader gives full access of the object to the bucket owner. Also, I have restricted bucket access but not viewer access.

What are the reasons which can cause this error? How do I go about debugging this?

When you upload the object to S3 bucket does that object becomes public? — Piyush Patil, Sep 22 '16 at 11:58
I believe not. The permissions are for the account with which I uploaded. — Syed Suhail Ahmed, Sep 22 '16 at 12:19
For the object the permissions are via acl. For the 3rd party widget that uploads the file I have a bucket policy. — Syed Suhail Ahmed, Sep 26 '16 at 04:54

score 5 · Answer 1 · answered Mar 07 '17 at 15:28

When a second AWS account uploads content to an S3 bucket serving content via CloudFront with OAI, the uploaded file needs to have the OAI canonical ID added with the --grant read=id="OAI-canonical-ID" when the file is uploade; also add the S3 bucket owner as a grant full=id="BucketOwnerID". The aws cli was used to perform the uploaded. Adjust according for the method that is used. When the file is viewed in the S3 bucket, the permissions will have CloudFront listed as a grantee. The file should be readable via CloudFront.

score 4 · Answer 2 · answered Sep 22 '16 at 12:58

4

It is possible that the "Access Denied" response you are receiving is a response from S3 that is cached by CloudFront from before the object was available in S3.

For example, if you try the CloudFront URL and the file does not exist in S3, then you'll get the "Access Denied" response. Even after uploading the file, CloudFront will have the "Access Denied" response cached until the end of the TTL. During this time, you will continue to receive the "Access Denied" response.

Try invalidating the distribution. After that, request the file and see if you get the correct response.

If this solves the problem, then you need to figure out how to avoid requesting the object from CloudFront before it exists in S3.

answered Sep 22 '16 at 12:58

Matt Houser

33,983
6
70
88

2

The error caching minimum TTL [can be set to 0](http://stackoverflow.com/a/35541525/1695906), disabling this behavior, if this is the cause. I would be inclined to think the 3rd party is failing to (or was not configured to) specify [`x-amz-acl: bucket-owner-full-control`](http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl), or another appropriate value with the upload, which would prevent the CloudFront origin access identity (assuming one is being used) from accessing the object. – Michael - sqlbot Sep 22 '16 at 17:24
I added the cloudfront distribution after the files were uploaded in s3. So I do not think that could be the problem. – Syed Suhail Ahmed Sep 23 '16 at 05:02
Thank you so so much @Michael-sqlbot This was it. Your comment should be the answer! – jpincheira Jul 23 '18 at 12:38

Cloudfront 403 error while accessing files uploaded by another account

2 Answers2