8

I have one account with privilege to manage S3 (S3_User), and another one to manage Cloud Front (Cloud_Front_User).

Now, I've created a bucket "bucketname" with S3_User and a distribution with Cloud_Front_User with origin my S3 Bucket.

When I tried to access a resource through Cloudfront I get this 

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>555667558C0B2698</RequestId>
<HostId>
QP0y2/XTsJqItm815aDsdoLTF853zMeEPUAykvxjzdFfU1WwfXHioa6CeLWmc96RDVJopBu+eLE=
</HostId>
</Error>

I've set this: http://cl.ly/image/1s0I1H3A3p1N

but when I click on "Save", after some time I get an error message saying that it wasn't able to set identity on the S3 bucket. I think this is because I manage CLoudFront with "Cloud_Front_User" and S3 with "S3_User". So, how could I manually set S3 policy on the bucket to allow CloudFront to access s3?

S3 Bucket policy

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": " Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E780000000000"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::socialacademy/*"
        }
    ]
}

enter image description here

sparkle
  • 175
  • 1
  • 1
  • 8

2 Answers2

2

Resolved changing my url

FROM

http://ID.cloudfront.net/bucket/uploads/academy/logo/1/logo.jpg

TO

http://ID.cloudfront.net/uploads/academy/logo/1/logo.jpg

sparkle
  • 175
  • 1
  • 1
  • 8
0

See this solution..

https://havecamerawilltravel.com/photographer/how-allow-public-access-amazon-bucket

How to Allow Public Access to an Amazon S3 Bucket If you're trying to allow anyone to download or open files in an Amazon S3 Bucket, here's how to do it.

amazon web services

  1. Copy and paste this code in the Bucket Policy Editor popup. You’ll need to replace “YOUR-BUCKET-NAME” with your full bucket name.

Sample policy:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}
kontinuity
  • 103
  • 3
James Selleck
  • 9
  • 1
  • It's not recommended to make your S3 bucket publicly accessible - the preferred way is via a service such as CloudFront and require it to be used in order to access the objects in the bucket. – JBS Aug 15 '21 at 11:53