Origin access identity / control missing between cloudfront and bucket

[gersomvg]

I already thanked you in a private message, but thanks again for this awesome sample. It's just what I needed.

I just found out that in my implementation — that I pretty much copied from this template — CloudFront is always using the fallback origin. Initially, this went unnoticed for me as everything was quite speedy. But this speediness is mostly because of cloudfront's cache and the fact that the lambda is getting the file from s3 directly if it already exists, instead of doing a new resize.

It seems like your example suffers the same lack of origin access identity (OAI) or origin access control (OAC), also when using STORE_TRANSFORMED_IMAGES=true. Are you sure that Cloudfront can actually hit S3 in your sample CDK?

Just giving feedback on this to improve the solution for anyone who comes across it in the future.

[achrafsouk]

Hello ! Thanks for the feedback.

Let's unpack the issues one by one. The first is about the behavior of the solution. When using 'STORE_TRANSFORMED_IMAGES=true', which is the default option, the request goes to CloudFront, if not in cache, hits the transformed image bucket, if not already transformed, fallback to the Lambda origin to transform it, send it back, and store it in the transformed image bucket.

Which of this sequence did not work for you?

[gersomvg]

The part where it hits the transformed image bucket. I already had a CDK setup with my own bucket, so there is a slight chance there is a little difference in my setup, but I don't see any policies in your CDK code that allow cloudfront access to the bucket and the bucket also has no public access setup.

[achrafsouk]

Line 173: Primary origin is the transformed image bucket. The S3Origin constructor automatically creates an OAI to give CloudFront access to the bucket.

[gersomvg]

Maybe it didn't work for me because my bucket was already created earlier or because it is in eu-central-1, which is a different region than the default cloudfront eu-east-1.

Nevermind, if your example works the issue has to be on my side 👍🏻 I've got it up and running by adding OAI manually. That only worked after also adding a bucket policy allowing cloudfront in general.