I have a s3 bucket which does not have public access. I have a bucket policy but it was automatically generated when I connected a CDN to the bucket for a origin access Identity.
But thats all the policy has.
Bucket polices are dicks for me. Im wondering if this is in fact the problem or if it may be something else.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::shofi-mod/*"
}
]
}
for comparison here is the bucket policy of my other bucket that does have public access. I am looking at the two for clues of what it is I should do
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/shofi-stuff-bucket-user"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::shofi-stuff"
}
]
}
thank you so much kings
There's a few topics here.
The first bucket policy you have shown simply grants access to CloudFront via an Allow policy. It would not interfere with the pre-signed URL.
The second bucket policy (while not being directly relevant to your question) has an error in it. When using GetObject and PutObject, access must be granted to the contents of the bucket, no the bucket itself. (Whereas ListBucket does apply to the bucket.)
Therefore, the Resource should grant access to the bucket and the contents of the bucket:
"Resource": ["arn:aws:s3:::shofi-stuff", "arn:aws:s3:::shofi-stuff/*"]
As to why your pre-signed URL is not working, it would either be due to:
Resource problem), or