Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to resolve "specified origin access identity does not exist or is not valid"

I have a problem with these lines in my serverless.yml file. I am using the Serverless plugin serverless-single-page-app-plugin.

# CustomOriginConfig:
              #  HTTPPort: 80
              #  HTTPSPort: 443
              # OriginProtocolPolicy: https-only
              ## In case you want to restrict the bucket access use S3OriginConfig and remove CustomOriginConfig
              S3OriginConfig:
                 OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z

I want use s3OriginConfig and disable access through the S3 bucket. I can do this manually. But I want to get the effect as in the picture below:

AWS Console config

like image 302
Mateusz Avatar asked Apr 03 '19 13:04

Mateusz


People also ask

Is the Origin Access identity valid or not?

The origin access identity is not valid or doesn't exist. The keep alive timeout specified for the origin is not valid. The read timeout specified for the origin is not valid.

What is the difference between origin_ID and origin_path?

origin_id (Required) - A unique identifier for the origin. origin_path (Optional) - An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin. origin_shield - The CloudFront Origin Shield configuration information.

What information do I need to set up a custom origin?

domain_name (Required) - The DNS domain name of either the S3 bucket, or web site of your custom origin. custom_header (Optional) - One or more sub-resources with name and value parameters that specify header data that will be sent to the origin (multiples allowed). origin_id (Required) - A unique identifier for the origin.

Why can't I create more origins for my distribution?

You cannot create more origins for the distribution. Your request contains too many query string parameters. Your request contains more trusted signers than are allowed per distribution. The specified key group does not exist. One or more of your trusted signers don't exist. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.


1 Answers

You might have solved it as you have asked your question long back but this might help if you didn't. I too faced the same issue and after some research through AWS documentation, I got to know how to use the required attributes. Below points to be considered regarding your question.

  1. As your origin is Amazon S3 bucket, you should use S3OriginConfig in Distribution.
  2. If new OAI is required then you have to create a CloudFrontOriginAccessIdentity resource and refer the OAI and S3CanonicalUserId attribute to the CloudFront Distribution and S3BucketPolicy resources respectively.

Please find the below snippet in response to your question.

WebAppDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: 'passport-front.s3.amazonaws.com'
            Id: 'WebApp'
            S3OriginConfig:
              OriginAccessIdentity: !Join ['', ['origin-access-identity/cloudfront/', !Ref CloudFrontOAI]]
CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'access-identity-passport-front.s3.amazonaws.com'
WebAppBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: "Retain"
    Properties:
      AccessControl: PublicRead
      BucketName: "passport-front"
WebAppBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebAppBucket
      PolicyDocument:
        Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            CanonicalUser: !GetAtt CloudFrontOAI.S3CanonicalUserId
          Resource: !Join ['', ['arn:aws:s3:::', !Ref 'WebAppBucket', /*]]

References: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.html

like image 134
Aditya Avatar answered Sep 19 '22 01:09

Aditya