我开始在AWS上构建基础设施,第一步是让Cloud Front服务与两个不同的S3存储桶一起工作(我将一个简单的index.html上传到每个存储桶)。为此,我制作了以下 yaml 以通过 Cloud Formation 进行部署。
AWSTemplateFormatVersion: "2010-09-09"
Resources:
UserBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: my-user-bucket
Tags:
- Key: description
Value: "User page files"
AdminBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: my-admin-bucket
Tags:
- Key: description
Value: "Admin page files"
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'origin identity'
UserBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-user-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Principal:
AWS:
Fn::Join:
- " "
-
- "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
-
!Ref CloudFrontOriginAccessIdentity
Resource:
- !Sub arn:aws:s3:::my-user-bucket/*
DependsOn:
- UserBucket
AdminBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-admin-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Principal:
AWS:
Fn::Join:
- " "
-
- "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
-
!Ref CloudFrontOriginAccessIdentity
Resource:
- !Sub arn:aws:s3:::my-admin-bucket/*
DependsOn:
- AdminBucket
PublicDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: my-user-bucket.s3.sa-east-1.amazonaws.com
Id: S3-my-user-bucket
S3OriginConfig:
OriginAccessIdentity:
'Fn::Join':
- ''
- - origin-access-identity/cloudfront/
- Ref: CloudFrontOriginAccessIdentity
- DomainName: my-admin-bucket.s3.sa-east-1.amazonaws.com
Id: S3-my-admin-bucket
S3OriginConfig:
OriginAccessIdentity:
'Fn::Join':
- ''
- - origin-access-identity/cloudfront/
- Ref: CloudFrontOriginAccessIdentity
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-user-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
CacheBehaviors:
- PathPattern: user/*
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-user-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
- PathPattern: admin/*
AllowedMethods:
- GET
- HEAD
TargetOriginId: S3-my-admin-bucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
DependsOn:
- UserBucketPolicy
- AdminBucketPolicy
如您所见,我正在尝试使用 Cloud Front Distribution 行为配置重定向用户和管理员的请求。
我能够访问 foobar.cloudfront.net 上的 index.html 文件,对我来说这意味着 OAI 工作正常。但是 foobar.cloudfront.net/admin/index.html 和 foobar.cloudfront.net/user/index.html 都返回以下错误,所以我认为行为和/或路径有问题:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>YRCKS4PAV9C11CR9</RequestId>
<HostId>N9d3NJLrwZY1bECeTmXoQqRuDljsgFQk3C9pt5AX2pZyI4BEhTMCvJDB1uUAaQ4zUlppbvQbyOs=</HostId>
</Error>
有什么问题的想法吗?
最佳答案
我相信您需要更新您的 BucketPolicies 以包含两者:
Action:
- 's3:GetObject'
- 's3:ListObjects'
和
资源两者兼备:
"arn:aws:s3:::my-user-bucket/",
"arn:aws:s3:::my-user-bucket/*"
关于amazon-web-services - 使用 cloudfront 的 s3 上的访问被拒绝错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71387978/