问题描述
上一个
当我尝试使用在 Route 53
中配置的别名导航到分发端点时,它总是返回 InvalidAccessKeyId
错误,并说tha t访问密钥不存在。密钥对于每个请求都始终相同,并且以 AKIA
为前缀。
我已经查看了 IAM
控制台,尚未创建任何用户。我相信只有2个角色是由AWS自动创建的。
顺便说一句,即使我禁用了自动更新 S3
存储桶策略在创建新的 CloudFront
分发时,我的存储桶策略将被自动修改,其中 Principal
字段设置为 AWS: ADIA ...
。我尝试用 CanonicalUser替换它:< CloudFront发行版正在使用的我的OAI>
,但它将恢复为 AWS: ADIA ...
几分钟后。
有人知道如何解决此无效的访问密钥错误吗?
更新
我创建了另一个 ap-southeast-1
中的 S3
存储桶,并通过允许 CloudFront执行完全相同的步骤
自动生成存储桶策略,然后在 Route 53
控制台中配置别名设置。
下面是自动生成的存储桶策略。
然后,我将该策略复制并粘贴到原始的 ap-east-1
存储桶中,唯一的区别是在 AWS行中: ...
,但不允许我保存它,指出主体存在错误。
这是CloudFront和。不幸的是,解决方法是将存储桶策略设置为允许公共访问(例如存储桶策略中的 Principal: *
之类的东西),或暂时仅使用其他区域
您也可以尝试向AWS支持投诉。客户的影响往往会更快地解决AWS错误...
Previous question on the same case.
After solving my previous issue, my AWS is set up with the following services.
S3
bucket inap-east-1
without static website hosting.CloudFront
HTTPS distribution with a SSL certificate requested fromACM
inus-east-1
.- Alias pointing to the
CloudFront
distribution inRoute 53
.
When I try navigating to the distribution endpoint using the alias configured in Route 53
, it always returns InvalidAccessKeyId
error, and saying that the access key does not exist. The key is always the same for every requests, and is prefixed with AKIA
.
I have looked into my IAM
console, no users have been created. There are only 2 roles which I believe was auto-created by AWS.
By the way, even if I disable auto-updating S3
bucket policy when creating new CloudFront
distribution, my bucket policy will be modified automatically, where the Principal
field is set to "AWS": "ADIA..."
. I have tried replacing it with "CanonicalUser": "<my OAI that the CloudFront distribution is using>"
, but it will be reverted to "AWS": "ADIA..."
several minutes later.
Does anyone know how to tackle this invalid access key error?
Update
I have created another S3
bucket in ap-southeast-1
and carried out the exact same steps by allowing CloudFront
generates bucket policy automatically, then configured alias settings in Route 53
console.
Below is the auto-generated bucket policy.
Then, I copy and paste that policy to my original ap-east-1
bucket, the only difference is in the line "AWS": "..."
, but it doesn't allow me to save it, stating that there is error in the principal.
This is a known issue with CloudFront and opt-in AWS regions. Unfortunately the workaround is to set your bucket policy to allow public access (something like "Principal": "*"
in the bucket policy), or just use a different region for now.
You can also try complaining to AWS support. Customer impact tends to get aws bugs resolved more quickly...
这篇关于AWS-通过CloudFront HTTPS分发访问S3存储桶时返回InvalidAccessKeyId的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!