# 访问被拒：无法满足请求。CloudFront 尝试与源建立连接，但源返回了 403 错误。

- **ID:** `policy/cloudfront-s3-origin-access-identity-invalid`
- **领域:** policy
- **类别:** auth_error
- **错误码:** `AccessDenied`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

CloudFront 分发的源访问身份 (OAI) 未被授予所需的 S3 存储桶策略权限来读取对象，导致源拒绝请求。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS CloudFront 2024-03 | active | — | — |
| AWS S3 2024-03 | active | — | — |

## 解决方案

1. ```
   附加一个存储桶策略，授予 CloudFront OAI s3:GetObject 权限。示例：aws s3api put-bucket-policy --bucket my-bucket --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}'
   ```
2. ```
   使用源访问控制 (OAC) 代替 OAI，需要存储桶策略引用 OAC 的规范用户 ID。
   ```
3. ```
   验证 OAI 是否正确关联到 CloudFront 分发的源，并且存储桶策略引用了正确的 OAI ARN。
   ```

## 无效尝试

- **** — This opens the bucket to the public, which violates security policies and may still not work if the OAI is not the specific principal. (70% 失败率)
- **** — Public access is not recommended and doesn't solve the OAI trust issue; the bucket policy must explicitly allow the OAI. (50% 失败率)
- **** — The root cause is the missing bucket policy, not the distribution setup. (80% 失败率)