1

Similar to this question: Enabling POST/PUT/DELETE on AWS CloudFront?

I have setup a Cloudfront Distribution with an Origin Access Identity that has access to the S3 origin.

S3 has a CORS configuration that allows PUT, POST, GET, etc. from any Origin. Cloudfront is forwarding the Origin, Access-Control-Request-Headers & Access-Control-Request-Method headers to the S3 origin.

Using the Dropzone-js library I have configured a POST upload request to the Cloudfront endpoint.

Response: 405 Method Not Allowed

And the Response headers:

  • access-control-allow-methods HEAD, GET, PUT, POST
  • access-control-allow-origin *
  • allow HEAD, DELETE, GET, PUT
  • server AmazonS3
  • x-cache Error from cloudfront

If I switch the request method to 'PUT' the upload response is successful.

200 OK

  • x-cache: Miss from cloudfront
  • access-control-allow-methods HEAD, GET, PUT, POST

The mysterious 'allow' header is now missing.

The file that ends up in S3 following the PUT request is not readable. I get an Access Denied error when trying to download it.

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

I'm not sure if S3 implicitly refuses POST requests. That would be fine, so long as PUT requests worked.

The CORS configuration:

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

The Bucket Policy:

{
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXX"
            },
            "Action": [
                "s3:*",
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::example-bucket.net/*"
}

s3:* is to try and get it working for a start.

Why is POST not allowed to the S3 Origin? Why is the uploaded file corrupt/not readable?

I've also tried pre-signed URLs similar to method below, but face similar problems. POST is rejected, and PUT is AccessDenied. I tried this on multiple buckets. The only way it would work is with Public WRITE enabled. https://aws.amazon.com/blogs/media/deep-dive-into-cors-configs-on-aws-s3-how-to/

Edit: This issue is very similar, but appears to not be resolved. dropzone.js direct upload to S3 with content-type

comfytoday
  • 1,987
  • 19
  • 29
  • The uploaded file isn't corrupted. Your IAM user doesn't have the right to call the Head object, ie. Metadata. Is it possible for you to try this with a s3 all access account just to confirm that it is an access issue? – Ninad Gaikwad Sep 30 '20 at 04:02
  • I believe the keys I'm using to inspect, as well as the console access account have full access rights. I created the bucket, there is nothing I can't do in S3. Except when I upload a file by this method. Also, turning Public Read on does not give me access to the uploaded files – comfytoday Sep 30 '20 at 04:25

1 Answers1

0

Why is POST not allowed to the S3 Origin?

POST requests for S3 origin in CloudFront with OAI are simply not supported.

From Using an OAI in Amazon S3 Regions that Support Only Signature Version 4 Authentication:

POST requests are not supported.

Marcin
  • 108,294
  • 7
  • 83
  • 138
  • That explains that then. The linked page also talks about a ' x-amz-content-sha256' header required for PUT requests via Cloudfront to S3. This is the first time I've seen requirement, but it may explain the other part of this problem. – comfytoday Sep 30 '20 at 07:51
  • @comfytoday I'm not sure about the corrupted data when you PUT objects. It could be that some headers are missing as you noticed. – Marcin Sep 30 '20 at 07:54