Access Denied (403) with ordered cache in Cloudfront s3 distribution - McMap

About

Access Denied (403) with ordered cache in Cloudfront s3 distribution

Asked 6/9, 2020 at 5:40 Answered 7/9, 2020 at 12:31

Solved amazon-web-services amazon-s3 amazon-cloudfront http-status-code-403

B

1

2

I am trying to add multiorigin setup with cloudfront with ordered cache behaviour. Here is what i want to achieve(given my baseurl is https://example.com/

https://example.com/ shows index.html from root bucket.(root_app)
https://example.com/app2 shows index.html from another bucket (app2)

For this, I created a CF s3 distribution with two origins (root, app2) pointing to two different buckets. In the cache behavior, I have created ordered cache behavior to route all traffic with path "app2*" to app2 origin.

With this setup https://example.com/ is landing me to root_app but https://example.com/app2 is throwing below error

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>E1C4FA78C620F166</RequestId>
<HostId>nwVnR036HRHWVwiQoEoJQaj9A/Mf975SUYOoiYrgX8JasQCEWRrEeNTvBM5y327gZzcfCLksCDY=</HostId>
</Error>

I see below http response headers in the browser for above request

content-type: application/xml
date: Sun, 06 Sep 2020 06:34:06 GMT
server: AmazonS3
status: 403
via: 1.1 45645ff3269a2b885ffa1653e827d0f7.cloudfront.net (CloudFront)
x-amz-cf-id: vVTtxpNxuilWppQ2mskMvN-p7fbNBM8DqHvVYQMYV8-kH-4GVtRHNw==
x-amz-cf-pop: SFO20-C1
x-cache: Error from cloudfront

Any idea what's wrong with this flow?

Bunnell answered 6/9, 2020 at 5:40 Comment(3)

Seems the second bucket denies the access. Is it set to public with bucket policy, or how did you set it up? – Rhiana 6/9, 2020 at 5:58

It is set to allow public access. index.html file is also public. – Bunnell 6/9, 2020 at 6:25

@Bunnell review the S3 logs for both buckets to find the request coming in from CloudFront. – Bocage 6/9, 2020 at 15:18

N

4

The problem is how CloudFront routing works. When there is a request to example.com/app2, then it forwards the request to <bucket2>/app2 instead of <bucket2>. You see this error because it's not the index.html you'd expect.

You can move the files in bucket2 into an app2 folder and then change the path pattern to /app2/*. This way the request to example.com/app2/ will go to <bucket2>/app2/ which is where your files are.

Alternatively, you can use Lambda@Edge to rewrite the origin request path for every request going to bucket2. I wrote an article how to solve a similar case.

Newmown answered 7/9, 2020 at 12:31 Comment(1)

Thanks @Tamas Though, not what i expected but That did work. (creating folder for path in second bucket). As you said Lambda@Edge is an option here and that is the one i will prefer to go with. I read the doc and found Lambda URl rewrite to be a long term solution that can fit in terraform flow. – Bunnell 8/9, 2020 at 4:24

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.