Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFrontToS3: Fails to get OAC Id #1261

Closed
lucas-subli opened this issue Feb 5, 2025 · 3 comments
Closed

CloudFrontToS3: Fails to get OAC Id #1261

lucas-subli opened this issue Feb 5, 2025 · 3 comments
Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged

Comments

@lucas-subli
Copy link

lucas-subli commented Feb 5, 2025
edited
Loading

Trying to use the CloudFrontToS3 construct always gives an error:

Unable to retrieve Id attribute for AWS::CloudFront::OriginAccessControl, with error message Access denied for operation 'AWS::CloudFront::OriginAccessControl'.

Reproduction Steps

const cf = new CloudFrontToS3(construct, 'portal-distribution', {
		bucketProps: {
			bucketName: 'web-distribution-bucket',
		},
		logS3AccessLogs: false,
		cloudFrontDistributionProps: {
			errorResponses: [
				{
					ttl: cdk.Duration.days(180),
					httpStatus: 403,
					responseHttpStatus: 200,
					responsePagePath: '/index.html',
				},
				{
					ttl: cdk.Duration.days(180),
					httpStatus: 404,
					responseHttpStatus: 200,
					responsePagePath: '/index.html',
				},
			],
		},
		logCloudFrontAccessLog: false,
	});

Error Log

CREATE_FAILED        | AWS::CloudFront::Distribution          | portal-distribution/CloudFrontDistribution (portaldistributionCloudFrontDistribution739C662C) Unable to retrieve Id attribute for AWS::CloudFront::OriginAccessControl, with error message Access denied for operation 'AWS::CloudFront::OriginAccessControl'.

Environment

  • CDK CLI Version : "aws-cdk": "^2.177.0",
  • AWS Solutions Constructs Version : "@aws-solutions-constructs/aws-cloudfront-s3": "^2.77.0"
  • OS : Ubuntu 24.04
  • Language : TS

Other

Relevant IAM permissons on the CDK execution role:

"cloudfront:CreateOriginAccessControl",
"cloudfront:UpdateOriginAccessControl",
"cloudfront:DeleteOriginAccessControl",
"cloudfront:GetOriginAccessControl",
"cloudfront:ListOriginAccessControls",
"cloudfront:GetOriginAccessControlConfig",

This is 🐛 Bug Report
@lucas-subli lucas-subli added bug Something isn't working needs-triage The issue or PR still needs to be triaged labels Feb 5, 2025
@biffgaut
Copy link
Contributor

biffgaut commented Feb 5, 2025

Thanks, we'll check this out

@lucas-subli
Copy link
Author

Adding

- cloudfront:DescribeFunction
- cloudfront:CreateFunction
- cloudfront:GetFunction
- cloudfront:PublishFunction

To the role seems to have fixed the issue, not sure why
And usually arn errors are formatted a little bit differently than this, but it seems to be working now.

Closing.

@biffgaut
Copy link
Contributor

biffgaut commented Feb 5, 2025

Thanks for letting us know - I figured it was a permissions issue and was paring down my privileges until I figured out which one. Apparently you have found it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucas-subli @biffgaut