1

I have a cloudfront distribution that is working fine with an S3 origin.

After adding a second origin, I also add a new cache behaviour so I would get:

  • first.domain.com: goes to the first origin (via the default * cache behaviour path)
  • first.domain.com/elsewhere: goes to the new origin (via a new elsewhere/* cache behaviour path)

I feel something maybe wrong or missing, but can't tell from the docs what it could be.

After reading these answers:

I can't still figure what is not working. I enabled the S3 logs but they can take hours to update.

Any help is appreciated!

The error I get after hitting the second URL is:

"response": {
"status": 403,
"statusText": "",
"httpVersion": "http/2.0",
"headers": [
  {
    "name": "status",
    "value": "403"
  },
  {
    "name": "content-type",
    "value": "application/xml"
  },
  {
    "name": "date",
    "value": "Fri, 17 Aug 2018 03:28:54 GMT"
  },
  {
    "name": "server",
    "value": "AmazonS3"
  },
  {
    "name": "x-cache",
    "value": "Error from cloudfront"
  },
  {
    "name": "via",
    "value": "1.1 275132367c30f17c9825826491390fe3.cloudfront.net (CloudFront)"
  },
  {
    "name": "x-amz-cf-id",
    "value": "Ag_JzYYNMVJLMlz9Dd8yDgS1qDCRFlihzlCauDXOE0-fojAPQLQNQQ=="
  }

It would seem that the dist has no access, but I did the same OAID as with the first origin, I checked the bucket permissions allow the OAID, and the first origin is working fine.

Maybe it's some slow propagation issue about adding an S3 origin?

Efren
  • 4,003
  • 4
  • 33
  • 75
  • Note that your `/elsewhere/*` cache behavior will be expecting the object keys in bucket 2 to also begin with `elsewhere/`... the *complete* path is sent to the bucket, so you may not be requesting the object you intend. – Michael - sqlbot Aug 17 '18 at 06:55
  • S3 access logs would be the first thing to do. They shouldn't take hours. – Michael - sqlbot Aug 17 '18 at 06:57
  • Notice that if you don't allow `s3:listBucket` in the bucket policy, and you request an object that doesn't exist you will get 403 (Not Authorized) instead of 404 (Not Found). Bucket policies update immediately (within seconds) in my experience. – cementblocks Aug 18 '18 at 01:31
  • Thanks @Michael-sqlbot, I confirmed the path was the issue, I'll do some changes to confirm it will work. Logs may not take hours, but can take 1 hour as they are periodically synchronised according to the [docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#LogDeliveryBestEffort) – Efren Aug 20 '18 at 01:20
  • Hi @cementblocks, the policy was working before with the bucket, and only seems to need `s3:GetObject`, through the bucket policy adding the OAID – Efren Aug 20 '18 at 01:38
  • Hi @Michael-sqlbot, it seems to load the page now, but not really sure it goes to the bucket's subfolder. I will wait for the logs. If wanting to serve 2 different pages from the same bucket, would this be a reasonable way to do it? Maybe I should just make another distribution. – Efren Aug 20 '18 at 01:47
  • Hi @Michael-sqlbot, the issue was the paths then, do you want to answer to mark it? – Efren Aug 22 '18 at 02:22
  • same problem here. First origin works fine, any other origin in the same distribution gives me access denied. Did you ever figure this out? – zumzum Oct 14 '20 at 02:27
  • access denied seems like a different issue, is it an S3 access deny error? maybe check the bucket policy, for the same issue, please refer to the comments on path – Efren Oct 14 '20 at 07:08

0 Answers0