访问被拒:无法满足请求。CloudFront 尝试与源建立连接,但源返回了 403 错误。
AccessDenied: The request could not be satisfied. CloudFront attempted to establish a connection with the origin, but the origin returned a 403 error.
ID: policy/cloudfront-s3-origin-access-identity-invalid
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS CloudFront 2024-03 | active | — | — | — |
| AWS S3 2024-03 | active | — | — | — |
根因分析
CloudFront 分发的源访问身份 (OAI) 未被授予所需的 S3 存储桶策略权限来读取对象,导致源拒绝请求。
English
CloudFront distribution's origin access identity (OAI) is not granted the required S3 bucket policy permissions to read objects, causing the origin to reject the request.
官方文档
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html解决方案
-
附加一个存储桶策略,授予 CloudFront OAI s3:GetObject 权限。示例:aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}' -
使用源访问控制 (OAC) 代替 OAI,需要存储桶策略引用 OAC 的规范用户 ID。
-
验证 OAI 是否正确关联到 CloudFront 分发的源,并且存储桶策略引用了正确的 OAI ARN。
无效尝试
常见但无效的做法:
-
70% 失败
This opens the bucket to the public, which violates security policies and may still not work if the OAI is not the specific principal.
-
50% 失败
Public access is not recommended and doesn't solve the OAI trust issue; the bucket policy must explicitly allow the OAI.
-
80% 失败
The root cause is the missing bucket policy, not the distribution setup.