AccessDenied policy auth_error ai_generated true

AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 error.

ID: policy/cloudfront-s3-origin-access-identity-invalid

Also available as: JSON · Markdown · 中文
90%Fix Rate
85%Confidence
1Evidence
2023-06-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
AWS CloudFront 2024-03 active
AWS S3 2024-03 active

Root Cause

CloudFront distribution's origin access identity (OAI) is not granted the required S3 bucket policy permissions to read objects, causing the origin to reject the request.

generic

中文

CloudFront 分发的源访问身份 (OAI) 未被授予所需的 S3 存储桶策略权限来读取对象,导致源拒绝请求。

Official Documentation

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

Workarounds

  1. 90% success Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}' 
    Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}'
  2. 85% success Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID. 
    Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID.
  3. 80% success Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN. 
    Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN.

中文步骤

  1. 附加一个存储桶策略,授予 CloudFront OAI s3:GetObject 权限。示例:aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}'
  2. 使用源访问控制 (OAC) 代替 OAI,需要存储桶策略引用 OAC 的规范用户 ID。
  3. 验证 OAI 是否正确关联到 CloudFront 分发的源,并且存储桶策略引用了正确的 OAI ARN。

Dead Ends

Common approaches that don't work:

  1. 70% fail

    This opens the bucket to the public, which violates security policies and may still not work if the OAI is not the specific principal.

  2. 50% fail

    Public access is not recommended and doesn't solve the OAI trust issue; the bucket policy must explicitly allow the OAI.

  3. 80% fail

    The root cause is the missing bucket policy, not the distribution setup.