CloudFront and S3

In my deploy I have configured a CloudFront instance with 2 origins: the API Gateway and a S3 bucket.

This way the API and the site using it are served from the same domain.

However, I can’t persuade this to deploy - it keeps bombing with:

  • API: s3:CreateBucket Access Denied.

However, if I remove my declaration of the s3 bucket, it all deploys fine.

I assumed the CFront config was causing the bucket to exist, so I changed it to use Fn::GetAtt of the bucket domain… no fix.

So I added a DependsOn to the CFront… no fix.
So I moved the DependsOn to the Origin… no fix.

I would leave it as an “implied” creation, but I want to ensure permissions are set to public read.

Any ideas?

CF config will never automatically create an S3 bucket. It sounds like Serverless is creating the bucket for you.

You can run sls --noDeploy and then look at the templates generated in the .serverless/ directory in your service’s directory, to confirm that the bucket is being defined for you.

OK… well, the only two references to AWS::S3 in the CF templates are ServerlessDeploymentBucket and my staticBucket

Anything else I can check?

Are you referencing your staticBucket anywhere else? If you’re using it as an S3 event source then SLS will try to create it for your automatically.

Just to be clear, are you expecting to see another bucket definition? That is, 3 buckets?

No, no other references. It’s a bucket for me to stuff static assets into, to be served from CloudFront. As such, it’s only referenced in the CFront config (and my s3 assets config for my plugin).

Why I find peculiar is that the CloudFront config works when the bucket is not defined. I’m sure in the past CF has cracked it with me when I’ve tried to reference a S3 bucket that didn’t exist.

Yeah, it will totally do that if it doesn’t exist.

Is this bucket created outside of CFN (or left-over from an earlier
template/deploy)? Are you changing the name between deploys, or is it just
continually re-using the same, old bucket for your static files? This would
explain why it no longer gives you an error. If you change the name of the
bucket CF should point to, I would assume it will complain again.

I’ve tried changing the name, just in case it was colliding with something.

Thing is, I’ve deployed (without the s3 entry in resources) and the bucket does NOT show in my AWS console.

And if I try to go to the url, I get:

<Message>The specified bucket does not exist</Message>

Yet CloudFront is happily referring to it as an S3 Origin…

OK, After a chance spotting that an extra bucket was created, then delete, during the deploy, I realised the problem was I didn’t have s3:PutBucketAcl permission on my deploy role.

Thanks for helping me out :smile:

Nice to know there’s someone else on here in the same timezone as I am, too :wink:

1 Like

Oh wow, I really thought it would complain if it wasn’t there - maybe that’s only if it’s referred to via an alias (i.e. NOT a custom origin). Will have to go and check. At least it told you what the problem was at request time.