问题
Previous question on the same case.
After solving my previous issue, my AWS is set up with the following services.
S3bucket inap-east-1without static website hosting.CloudFrontHTTPS distribution with a SSL certificate requested fromACMinus-east-1.- Alias pointing to the
CloudFrontdistribution inRoute 53.
When I try navigating to the distribution endpoint using the alias configured in Route 53, it always returns InvalidAccessKeyId error, and saying that the access key does not exist. The key is always the same for every requests, and is prefixed with AKIA.
I have looked into my IAM console, no users have been created. There are only 2 roles which I believe was auto-created by AWS.
By the way, even if I disable auto-updating S3 bucket policy when creating new CloudFront distribution, my bucket policy will be modified automatically, where the Principal field is set to "AWS": "ADIA...". I have tried replacing it with "CanonicalUser": "<my OAI that the CloudFront distribution is using>", but it will be reverted to "AWS": "ADIA..." several minutes later.
Does anyone know how to tackle this invalid access key error?
Update
I have created another S3 bucket in ap-southeast-1 and carried out the exact same steps by allowing CloudFront generates bucket policy automatically, then configured alias settings in Route 53 console.
Below is the auto-generated bucket policy.
Then, I copy and paste that policy to my original ap-east-1 bucket, the only difference is in the line "AWS": "...", but it doesn't allow me to save it, stating that there is error in the principal.
回答1:
This is a known issue with CloudFront and opt-in AWS regions. Unfortunately the workaround is to set your bucket policy to allow public access (something like "Principal": "*" in the bucket policy), or just use a different region for now.
You can also try complaining to AWS support. Customer impact tends to get aws bugs resolved more quickly...
来源:https://stackoverflow.com/questions/56945849/aws-invalidaccesskeyid-returned-when-accessing-s3-bucket-via-cloudfront-https