Login/Register
How to resolve "specified origin access identity does not exist or is not valid"
Asked Answered
Solved amazon-s3amazon-cloudfrontserverless-frameworkserverless
M

2

10

I have a problem with these lines in my serverless.yml file. I am using the Serverless plugin serverless-single-page-app-plugin.

# CustomOriginConfig:
              #  HTTPPort: 80
              #  HTTPSPort: 443
              # OriginProtocolPolicy: https-only
              ## In case you want to restrict the bucket access use S3OriginConfig and remove CustomOriginConfig
              S3OriginConfig:
                 OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z

I want use s3OriginConfig and disable access through the S3 bucket. I can do this manually. But I want to get the effect as in the picture below:

AWS Console config

Morello answered 3/4, 2019 at 13:13 Comment(1)
Did you solve this?Neiman
M
23

You might have solved it as you have asked your question long back but this might help if you didn't. I too faced the same issue and after some research through AWS documentation, I got to know how to use the required attributes. Below points to be considered regarding your question.

  1. As your origin is Amazon S3 bucket, you should use S3OriginConfig in Distribution.
  2. If new OAI is required then you have to create a CloudFrontOriginAccessIdentity resource and refer the OAI and S3CanonicalUserId attribute to the CloudFront Distribution and S3BucketPolicy resources respectively.

Please find the below snippet in response to your question.

WebAppDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: 'passport-front.s3.amazonaws.com'
            Id: 'WebApp'
            S3OriginConfig:
              OriginAccessIdentity: !Join ['', ['origin-access-identity/cloudfront/', !Ref CloudFrontOAI]]
CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'access-identity-passport-front.s3.amazonaws.com'
WebAppBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: "Retain"
    Properties:
      AccessControl: PublicRead
      BucketName: "passport-front"
WebAppBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebAppBucket
      PolicyDocument:
        Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            CanonicalUser: !GetAtt CloudFrontOAI.S3CanonicalUserId
          Resource: !Join ['', ['arn:aws:s3:::', !Ref 'WebAppBucket', /*]]

References: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.html

Manton answered 26/10, 2019 at 5:3 Comment(1)
If the S3 bucket is being used a static website, you have to use "CustomOriginConfig" which then begs the question - how do we associate the OAI with the distribution?Lamere
R
1

In case it helps. OAIs are now deprecated in favor of Origin Access Controls (OAC). If you use an OAC, you still have to specify S3OriginConfig but you put an empty string for the OAI value. The following is a valid DistributionConfig for a non-website s3 bucket:

            String bucketWebsiteEndpoint = String.format("%s.s3.%s.amazonaws.com", bucketName, bucketRegion.toLowerCase());
            List<String> distributionAliases = prepareDistributionAliases(domainName, subDomainName);
            // Create CloudFront distribution configuration
            DistributionConfig distributionConfig = new DistributionConfig()
                    .withAliases(new Aliases().withItems(distributionAliases).withQuantity(distributionAliases.size()))
                    .withCallerReference(String.valueOf(System.currentTimeMillis())) // Unique reference
                    .withComment("CloudFront distribution for " + domainName)
                    .withDefaultCacheBehavior(new DefaultCacheBehavior()
                            .withTargetOriginId(bucketWebsiteEndpoint)
                            .withViewerProtocolPolicy(ViewerProtocolPolicy.AllowAll)
                            .withAllowedMethods(
                                    new AllowedMethods()
                                            .withQuantity(2)
                                            .withItems(Method.GET, Method.HEAD)
                                            .withCachedMethods(
                                                    new CachedMethods()
                                                            .withQuantity(2)
                                                            .withItems(Method.GET, Method.HEAD)
                                            )
                            )
                            .withForwardedValues(
                                    new ForwardedValues()
                                            .withQueryString(true)
                                            .withCookies(new CookiePreference().withForward("none")))
                            .withViewerProtocolPolicy(ViewerProtocolPolicy.RedirectToHttps)
                            .withMinTTL(0L)
                            .withDefaultTTL(86400L) // 1 day
                            .withMaxTTL(31536000L) // 1 year
                    )
                    .withEnabled(true)
                    .withPriceClass(PriceClass.PriceClass_All)
                    .withViewerCertificate(
                            new ViewerCertificate()
                                    .withACMCertificateArn(certificateArn)
                                    .withMinimumProtocolVersion(MinimumProtocolVersion.TLSv12_2021)
                                    .withSSLSupportMethod(SSLSupportMethod.SniOnly))
                    .withOrigins(new Origins()
                            .withItems(
                                    new Origin()
                                            .withId(bucketWebsiteEndpoint)
                                            .withDomainName(bucketWebsiteEndpoint)
                                            .withConnectionAttempts(3)
                                            .withConnectionTimeout(10)
                                            .withS3OriginConfig(new S3OriginConfig().withOriginAccessIdentity(""))
                                            .withOriginAccessControlId(accessControlId)

                            ) // Use the bucket's endpoint
                            .withQuantity(1));
            CreateDistributionRequest createDistributionRequest = new CreateDistributionRequest()
                    .withDistributionConfig(distributionConfig);
            
            // Create CloudFront distribution
            CreateDistributionResult createDistributionResult = cloudFrontClient.createDistribution(createDistributionRequest);

And this is how you would create the OAC:

            String bucketWebsiteEndpoint = String.format("%s.s3.%s.amazonaws.com", bucketName, bucketRegion.toLowerCase());
            // create origin access control
            CreateOriginAccessControlRequest createOriginAccessControlRequest = new CreateOriginAccessControlRequest()
                    .withOriginAccessControlConfig(
                            new OriginAccessControlConfig()
                                    .withOriginAccessControlOriginType(OriginAccessControlOriginTypes.S3)
                                    .withName(bucketWebsiteEndpoint)
                                    .withDescription("Origin access control for " + bucketWebsiteEndpoint)
                                    .withSigningBehavior(OriginAccessControlSigningBehaviors.Always)
                                    .withSigningProtocol(OriginAccessControlSigningProtocols.Sigv4)
                    );
            CreateOriginAccessControlResult result = cloudFrontClient.createOriginAccessControl(createOriginAccessControlRequest);
Relief answered 7/11, 2023 at 7:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.