0

I am trying to do bucket listing on s3 bucket via cloudfront. Namely:

http://d1po79dcz1lvsl.cloudfront.net/?prefix=subdir&Signature=‘Signature_removed’&Policy=‘policy_removed’&Key-Pair-Id=‘id-removed’

But CF has been given me Access denied all the time with different custom policies.

I tried policy that allow to access anything under distribution and I also tried with a policy that specify a url parameter. 

{
   "Statement": [
      {
         "Resource":"http*://d1po79dcz1lvsl.cloudfront.net/*",
         "Condition":{
            "DateLessThan":{"AWS:EpochTime":1462053600},
            "IpAddress":{"AWS:SourceIp":"185.46.212.0/24"}
         }
      }
   ]
}

{
   "Statement": [
      {
         "Resource":"http*://d1po79dcz1lvsl.cloudfront.net/?prefix=subdir",
         "Condition":{
            "DateLessThan":{"AWS:EpochTime":1462053600},
            "IpAddress":{"AWS:SourceIp":"185.46.212.0/24"}
         }
      }
   ]
}

None of them work. So could signed URL be used with bucket listing or just list index? If not, would it be possible with signed cookies? I do know bucket listing is possible with Cloudfront without signed URL.

Kurt Liu
  • 610
  • 2
  • 8
  • 15
  • `/prefix=subdir` is definitely incorrect, but perhaps `/?prefix=subdir` might be what you're looking for; however, if you've declared a `Default Root Object` for the CloudFront distribution, you aren't likely going to be able to pull a directory listing through CloudFront, because this configuration would be expected to mask the ability to access the root of the bucket. Have you set that? Is there a reason you want to pull directory listings through CloudFront instead of directly from S3? – Michael - sqlbot Apr 12 '16 at 20:06
  • the json statement was wrong. I am using ?prefix. – Kurt Liu Apr 13 '16 at 08:15
  • I've not set Default Root Object. Actually before I enable the Restrict Viewer Access, I could do bucket listing. I don't want to request via S3 because I want CF be the only point which users with sign URL can access the contents and the listing. – Kurt Liu Apr 13 '16 at 08:17
  • This makes sense. Will you show us the bucket policy from S3? This is what allows the CloudFront origin access identity to access the bucket and it may not have sufficient permission to list objects. – Michael - sqlbot Apr 13 '16 at 12:00

0 Answers0