Setting Content Disposition with CloudFront/S3 without Signed URLs

Question

I have objects with public read access that are restricted to only being served through CloudFront. When I try to pass in a response-content-disposition parameter to my CloudFront URL, I get the S3 error:

Request specific response headers cannot be used for anonymous GET requests.

I've read that S3 does not allow you to set the content-disposition unless you are using a signed URL, but this isn't an option. The CloudFront requests shouldn't be considered anonymous since they are using the bucket policy for authentication. Is there a way I can configure that to work?

How can I set the content-disposition without using a signed URL?

Answer 1

Request options like response-content-disposition are not supported with anonymous requests, so the error suggests that S3 is not seeing any authentication information present.

In order for CloudFront to authenticate itself to an S3 origin, the Restrict Bucket Access origin setting must be set to Yes.

The option is very poorly named, because the option does not actually do anything to restrict access to the bucket. It should be called something like "Authenticate Requests When Sending to Bucket" because that's what the option actually enables -- use of an Origin Access Identity (OAI) to authenticate the requests being sent to the bucket.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai-console

Note that the fact that your setup was allowing requests to pass through anonymously may mean your bucket policy or object ACLs are not sufficiently restrictive.