Use Origin Access Control instead of deprecated OAI #298
Conversation
|
Sorry mate this is on my list to look at but have been swamped. QQ how well tested is this already? |
|
I've tested it myself, but YMMV. Users should be aware that updating their stacks to this latest version will delete the existing CloudFront Origin Access Identity and replace it with an Origin Access Control. So it would be helpful to test an upgrade scenario and provide upgrade instructions in the |
|
OK got it. I will also do some testing. Another QQ, what's the reason for taking out the s3:ListBucket permission from the bucket policy? The purpose of that was that CloudFront would see 404s from S3 in the case of non-existing objects, instead of 403. This is needed to enable SPA-routing: |
|
Otherwise, tested myself, also an upgrade scenario from OAI, and works well! |
Ignorance on my part combined with a bias for least-privilege access. I'll update the PR to restore it. |
Use Origin Access Control to allow CloudFront to authenticate to S3 for retrieving objects from the origin S3 bucket. This replaces the now-deprecated Origin Access Identity (OAI) mechanism. Also add support for creating an S3 bucket for CloudFront access logging.
otterley
force-pushed
the
use-origin-access-control
branch
from
1726e4b to
1df6526
Compare
|
@ottokruse Can you take another look, please? |
|
Thanks for the PR, and the nudge! |
|
Oops, just ran into: And now see that Well, that is really, really, annoying. Have logged an issue in the SAM repo: aws/serverless-application-model#3681 |
Use Origin Access Control to allow CloudFront to authenticate to S3 for retrieving objects from the origin S3 bucket. This replaces the now-deprecated Origin Access Identity (OAI) mechanism.
Also add support for creating an S3 bucket for CloudFront access logging.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.