问题
我正在尝试部署一个托管我的静态网站资产的 S3 存储桶和一个云端分发来访问它,但该分发仍然返回一个裸 xml 文件以显示“访问被拒绝”错误:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5N0Z412GZ0VGV79E</RequestId>
<HostId>GkpQbOpKeDiaCdFJM7kDq6ouWL/dvdijNu7NseC7KeIIogNabowVrDcfjPZ0xajKpDTx3SmgoEI=</HostId>
</Error>
正如此文档页面在蓝色通知警报中所述,我没有将存储桶设为网站端点,这样我可以使用 OAC 来限制对其内容的访问。
一件奇怪的事情是,从 Web 控制台检查分发来源时,我看到了这个蓝色警报,但可复制策略与我在给定链接的存储桶权限中找到的相同。
我在部署期间没有出错,所以这一定是一个愚蠢的配置错误,但自一周以来它一直让我头疼,我无法弄清楚出了什么问题。
Bucket 和 object owners 对应
由于 mi 网站资产是从不同的项目/管道上传到存储桶的,我按照本指南检查存储桶和对象所有者是否不同但实际上是对应的:
> aws s3api list-buckets --query Owner.ID
"3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
> aws s3api list-objects --bucket my-test-bucket --prefix index.html
{
"Contents": [
{
"Key": "index.html",
"LastModified": "2023-01-20T11:05:38+00:00",
"ETag": "\"52f2df5ddf8c35391f3f15a7614def58\"",
"Size": 325,
"StorageClass": "STANDARD",
"Owner": {
"ID": "3fdbd1e5cad4dd2bbf4c66a3dbaded6b888fdb67ff6aa6e66203a4107fe17b72"
}
}
]
}
CloudFormation 模板
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
Sid: PolicyForCloudFrontPrivateContent
Action: s3:GetObject
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
Resource: !Sub arn:aws:s3:::${AppBucket}/*
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- AppBucket
- DefaultCachePolicy
- DistributionOAC
Properties:
DistributionConfig:
Enabled: true
Origins:
- Id: AppBucket
DomainName: !GetAtt AppBucket.DomainName
OriginPath: /*
S3OriginConfig: {}
OriginAccessControlId: !Ref DistributionOAC
DefaultRootObject: index.html
DefaultCacheBehavior:
ViewerProtocolPolicy: redirect-to-https
TargetOriginId: AppBucket
CachePolicyId: !Ref DefaultCachePolicy
DistributionOAC:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: ExampleOAC
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
AppBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'test-spa-stack-bucket-app'
PublicAccessBlockConfiguration:
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : false
RestrictPublicBuckets : false
DefaultCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: test-cache-policy
DefaultTTL: 10
MaxTTL: 10
MinTTL: 1
ParametersInCacheKeyAndForwardedToOrigin:
CookiesConfig:
CookieBehavior: none
EnableAcceptEncodingBrotli: true
EnableAcceptEncodingGzip: true
HeadersConfig:
HeaderBehavior: none
QueryStringsConfig:
QueryStringBehavior: none
好的,我找到了一个从云控制台运行的YT 视频,然后我通过 CloudFormation 堆栈模板复制了它。
我认为我的问题可能是由以下任一配置引起的:
cuket owner enforced策略工作模板