search

aws-samples / public-file-browser-for-amazon-s3

Sample code to deploy a website and a "public files" S3 bucket which can be loaded with any files an administrator wishes to publish publicly online.
MIT No Attribution
104 stars 17 forks source link

You don't have permission to access the S3 bucket for CloudFront logs: public-file- browser-logging- #3

Closed jojo786 closed 7 months ago

jojo786 commented 7 months ago

I did a git clone, then sam build, then sam deploy --guided --capabilities CAPABILITY_NAMED_IAM:

Setting default arguments for 'sam deploy'

    Stack Name [sam-app]: public-file-browser-for-amazon-s3
    AWS Region [af-south-1]: 
    Parameter SiteName [AnyCompany Public Files]: 
    Parameter FilesOpenTabMode [In New Tab]: 
    Parameter VisibleStorageClasses [STANDARD,STANDARD_IA,ONEZONE_IA,REDUCED_REDUNDANCY]: 
    Parameter CrossOriginRestriction [*]: 
    #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
    Confirm changes before deploy [y/N]: 
    #SAM needs permission to be able to create roles to connect to the resources in your template
    Allow SAM CLI IAM role creation [Y/n]: 
    #Preserves the state of previously provisioned resources when an operation fails
    Disable rollback [y/N]: 
    Save arguments to configuration file [Y/n]: 
    SAM configuration file [samconfig.toml]: 
    SAM configuration environment [default]:

which throws this error:

You don't have permission to access the S3 bucket for CloudFront logs: public-file-browser-logging- xxxxxxxx.s3.amazonaws.com. If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403)

ckabalan commented 7 months ago

Hi @jojo786 - I didn't see the values you provided in the SAM Deploy step. I'm mostly looking to make sure you're deploying in a supported region. I'll try and re-produce it on my side.

Edit: If it is indeed af-south-1, that should be supported. I'll do a deployment and give it a try.

ckabalan commented 7 months ago

af-south-1 / South Africa (Cape Town) is actually not supported.

After reproducing and investigating, the root cause is that CloudFront, while supported to target origins in any S3 region, cannot target certain regions for logs. Source: Amazon CloudFront Developer Guide - Choosing an Amazon S3 bucket for your standard logs

I've made the following documentation update: @7a53e6a

For those who really want to use one of the unsupported regions, you may still be able to deploy by removing the logging configuration lines from the CloudFront resource in the SAM template.