{ "id": "policy/cloudfront-s3-origin-access-identity-invalid", "signature": "AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 error.", "signature_zh": "访问被拒:无法满足请求。CloudFront 尝试与源建立连接,但源返回了 403 错误。", "regex": "AccessDenied.*CloudFront.*origin.*403", "domain": "policy", "category": "auth_error", "subcategory": null, "root_cause": "CloudFront distribution's origin access identity (OAI) is not granted the required S3 bucket policy permissions to read objects, causing the origin to reject the request.", "root_cause_type": "generic", "root_cause_zh": "CloudFront 分发的源访问身份 (OAI) 未被授予所需的 S3 存储桶策略权限来读取对象,导致源拒绝请求。", "versions": [ { "version": "AWS CloudFront 2024-03", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS S3 2024-03", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This opens the bucket to the public, which violates security policies and may still not work if the OAI is not the specific principal.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Public access is not recommended and doesn't solve the OAI trust issue; the bucket policy must explicitly allow the OAI.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "The root cause is the missing bucket policy, not the distribution setup.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}'", "success_rate": 0.9, "how": "Attach a bucket policy that grants s3:GetObject to the CloudFront OAI. Example: aws s3api put-bucket-policy --bucket my-bucket --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}'", "condition": "", "sources": [] }, { "action": "Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID.", "success_rate": 0.85, "how": "Use an Origin Access Control (OAC) instead of OAI, which requires a bucket policy with the OAC's canonical user ID.", "condition": "", "sources": [] }, { "action": "Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN.", "success_rate": 0.8, "how": "Verify the OAI is correctly associated with the CloudFront distribution's origin and the bucket policy references the correct OAI ARN.", "condition": "", "sources": [] } ], "workarounds_zh": [ "附加一个存储桶策略,授予 CloudFront OAI s3:GetObject 权限。示例:aws s3api put-bucket-policy --bucket my-bucket --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}'", "使用源访问控制 (OAC) 代替 OAI,需要存储桶策略引用 OAC 的规范用户 ID。", "验证 OAI 是否正确关联到 CloudFront 分发的源,并且存储桶策略引用了正确的 OAI ARN。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html", "official_doc_section": null, "error_code": "AccessDenied", "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-06-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }