amazon-web-services - 访问 cloudfront 分发 s3 被拒绝

Question

我正在将一个网站上传到 S3，并将其配置为通过 cloudfront 分发进行访问。当我通过浏览器访问分发 URL 时，我得到:

<Error>
   <Code>AccessDenied</Code>
   <Message>Access Denied</Message>
   <RequestId>TKHNQGGSSHY3ZH6T</RequestId>
   <HostId>zXD7uBIpJUGHaUl8m5/9xtm2cnvX/Kok6rYp0oz6RFbqJeLreohaOWHx4jHJ/F675UGxo1SfEYs= 
   </HostId>
</Error>

这是我的 sam cloudformation 模板片段，我猜测 StockMonitorFeBucketPolicy 存在一些问题。

##################### FRONTEND

  StockMonitorFeBucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Delete
    Properties:
      BucketName: osotnikov-stock-monitor-front-end-resources-s3-bucket
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  StockMonitorFeBucketDistributionOriginAccessIdentity:
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: This is the origin access identity (simply user).
  StockMonitorFeBucketDistribution:
    Type: 'AWS::CloudFront::Distribution'
    DependsOn:
      - StockMonitorFeBucket
      - StockMonitorFeBucketDistributionOriginAccessIdentity
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt
              - StockMonitorFeBucket
              - DomainName
            Id: StockMonitorFeBucketCloudFrontOrigin
            S3OriginConfig:
              OriginAccessIdentity: !Sub >-
                origin-access-identity/cloudfront/${StockMonitorFeBucketDistributionOriginAccessIdentity}
        Enabled: 'true'
        DefaultCacheBehavior:
          TargetOriginId: StockMonitorFeBucketCloudFrontOrigin
          ForwardedValues:
            QueryString: 'false'
          ViewerProtocolPolicy: allow-all
  StockMonitorFeBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - StockMonitorFeBucket
      - StockMonitorFeBucketDistributionOriginAccessIdentity
      - StockMonitorFeBucketDistribution
    Properties:
      Bucket: !Ref StockMonitorFeBucket
      PolicyDocument:
        Statement:
          - Sid: cloudFrontReadAccess
            Effect: Allow
            Principal:
              CanonicalUser: !GetAtt
                - StockMonitorFeBucketDistributionOriginAccessIdentity
                - S3CanonicalUserId
            Action: 's3:GetObject'
            Resource: >-
              arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*

这是部署后添加的存储桶策略:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "cloudFrontReadAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1V8NTQPK5FD7P"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*"
        }
    ]
}

或者我尝试:

Properties:
      Bucket: !Ref StockMonitorFeBucket
      PolicyDocument:
        Statement:
          - Sid: cloudFrontReadAccess
            Effect: Allow
            Principal:
              AWS: !Join
                - ' '
                - - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
                - - !GetAtt [ StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId ]
            Action: 's3:GetObject'
            Resource: >-
              arn:aws:s3:::osotnikov-stock-monitor-front-end-resources-s3-bucket/*

但后来我得到:

 a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined. 

我尝试将主体更改为

Principal: AWS: !Join [' ', ['arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity', !GetAtt [StockMonitorFeBucketDistributionOriginAccessIdentity, S3CanonicalUserId]]] 

但是我在策略错误中收到无效的主体

Answer 1

您的模板没有任何问题(我部署了它)。它按预期工作。在您的情况下获得 AccessDenied 的唯一方法是由于缺少 DefaultRootObject正如 index.html 所定义的。因此，您必须显式地将 index.html 添加到您的 cloudfront url，例如:

http://21342sfssgdf.cloudfront.net/index.html