-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CloudFront Origin Access Control L2 #491
Comments
References: |
I really need OAC support as I'm preparing to open source a project and having the tweak mentioned in the issue aws/aws-cdk#21771 is not too clean even if it works. |
Is there any movement on this? The original issue aws/aws-cdk#21771 is over 15 months old. This RFC has over 240 👍🏼 and 16 ❤️ indicating a ton of folks want this change. OAC enables additional functionality in CloudFront, in particular the ability to PUT and POST to S3 via CloudFront, and is the AWS recommend way to implement S3 access via CloudFront. The RFC and the associated PR (aws/aws-cdk#24861) appear to have been abandoned. Using the L1 construct is non-starter for many folks as it introduces a circular dependency, and requires removing a hardcoded OAI the existing constructs appear to introduce. |
@AMZN-hgoffin Hi, what is that status of this?
but I can't add it to my s3OriginSource, that only supports originAccessIdentity. Also, I am unable to update the policy of this existing s3 bucket and give cloudfront permission to execute getObject from it. Are there any plans to make this a bit better? |
I did not try yet but someone shared a working snippet |
Hi, Is there any ETA when this feature will be available in aws-cdk ? |
Hey Folks! AWS announced support for Origin Access Control for Lambda Function URLs and AWS Elemental MediaPackage Origin yesterday. Please can we get some movement on OAC being supported by The original issue aws/aws-cdk#21771 is now 20 months old. |
Description
The CloudFront L2 constructs in the CDK only support Origin Access Identity, which is considered legacy (AWS is allergic to "deprecated", but it's definitely deprecated!) and will not work in any new S3 regions going forward.
CloudFormation L1 includes support for Origin Access Control, but using this with the L2 constructs is difficult or impossible because the existing code always enables Origin Access Identity, which is incompatible.
In addition, existing customers have reported struggles with Origin Access Identity in combination with the S3Origin L2 construct as it has a secret behavior: it attempts to adjust the resource policy of the origin bucket to grant access to CloudFront. Unfortunately this attempt is not compatible with buckets which use ACL and not IAM, and there is no way to prevent this behavior. Also, when a bucket is imported by name or attributes, the S3Origin attempt to modify policy silently fails, and there is no warning about this (neither in documentation, at build time, or during deployment).
Origin Access Control will make this situation more acute, because OAC has a wider range of possible permissions (OAC can support PUT/POST operations, but customers will usually not want to grant write permissions!) and is simultaneously less flexible for deployment (due to circular dependencies between bucket policy and the distribution ID, which is an output of the distribution). Buckets in the same stack can have policy applied automatically, but buckets which are imported across stacks cannot. CDK users will need a way to control the level of automatic permission granting, both to permit read-write access when desired, and also to disable the automatic grant in order to break circular dependencies.
This proposal has two parts:
Roles
Workflow
status/proposed
)status/review
)api-approved
applied to pull request)status/final-comments-period
)status/approved
)status/planning
)status/implementing
)status/done
)The text was updated successfully, but these errors were encountered: