I'm currently facing difficulties with accessing S3 objects via CloudFront in my web application. Here's my current configuration:
- I'm using AWS Amplify to manage authentication with Amazon Cognito in my application.
- The identity tokens generated by Amplify and Cognito are stored in the browser's cookies.
- I've set up a CloudFront distribution to serve content from my S3 bucket.
- I've attached the following IAM policy to my S3:
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/index.html"
}
- In my IAM policies, I've allowed CloudFront to access index.html and its dependencies.
- Private files such as admin.html are not directly accessible via CloudFront.
- However, I'd like admin.html to be accessible to authenticated users via Cognito, using the identity tokens provided by Amplify.
- I've attached the following IAM policy to my Cognito group:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/admin.html"
}
]
}
Despite this configuration, when I attempt to access admin.html after authenticating with Amplify and Cognito, I encounter authorization issues. The objects fail to load properly, and I receive access denied errors.
I've checked my IAM policies to ensure they allow access to S3 objects, and I've also reviewed my configuration in Amplify and Cognito to ensure that identity tokens are correctly generated and stored in cookies.
I suspect there's an issue with how CloudFront uses the identity tokens provided by Cognito to authorize access to admin.html, but I'm unsure how to resolve this problem.
Have you encountered a similar situation, or do you have any suggestions on how to resolve this issue of accessing S3 objects via CloudFront with Amplify and Cognito? Any help would be greatly appreciated.
Thank you very much!