-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cloudfront.create_distribution() throws 'InvalidOrigin' error when 'S3OriginConfig' key is not supplied in the distribution config even when OriginAccessControlId is supplied #3804
Comments
Hi @diningPhilosopher64 thanks for reaching out. Could you share your debug logs (with sensitive info redacted) by adding The boto3 create_distribution command maps to the CloudFront CreateDistribution API, so this could be an underlying API issue that we would need to escalate to the service team. |
@tim-finnigan , this is the gist for the source code and the debug log Thanks! |
Thanks @diningPhilosopher64 for following up. It looks like the Here is documentation that adds some more context:
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_S3OriginConfig.html
Perhaps the wording describing this API behavior could be improved — we recommend using the Provide feedback links at the bottom of those documentation pages to send feedback directly to the S3 documentation team. When the API documentation gets updated upstream, those changes are imported into the SDK documentation. |
Thanks @tim-finnigan , I'll provide feedback in the link you mentioned. Can also please look into |
Hi @diningPhilosopher64 thanks for following up. Regarding the second problem you mentioned, the documentation notes:
Based on that, it is expected behavior that either an ARN or ID could be accepted depending on if you're using WAF or WAF Classic. As with the other issue, if you think the wording here is unclear or inaccurate then we recommend reaching out through the Provide feedback at the bottom of the API documentation page. |
Makes sense! |
Describe the bug
Problem 1
I'm trying to create a cloudfront distribution with S3 as the origin. As recommended, I'm using Origin Access Control(OAC) instead of Origin Access Identity(OAI).
For this:
create_origin_access_control()
API.OriginAccessControlId
key to the Origin value (in the config) when creating the distribution.The create_distribution() call would return an
InvalidOrigin
error even when I supply the correct S3 bucket domain name:my-bucket-name.s3.us-east-1.amazonaws.com
But, if I pass
S3OriginConfig
key, with the value ofOriginAccessIdentity
set to an empty string, creation is successful.If the below snippet is left commented, I see the
InvalidOrigin
error. Upon uncommenting, it successfully creates the cloudfront distribution.It doesn't even need a valid value for the key
OriginAccessIdentity
. Just leaving it empty would successfully create the distribution.The strange thing is the created distribution would associate the OAC ID to the origin correctly and ignore the OAI value passed to
OriginAccessIdentity
.There seems to be some kind of a dependency between the keys
S3OriginConfig
andOriginAccessControlId
.Problem 2
The
WebACLId
field in theDistributionConfig
takes the Web ACL ARN and not its ID!If I pass the Web ACL ID I get the following error:
An error occurred (InvalidWebACLId) when calling the CreateDistribution operation: Web ACL is not accessible by the requester.
And when I pass its ARN, I'm able to create the distribution successfully.
The
WebACLId
needs to be updated toWebACLArn
or atleast the documentation should reflect this!Expected Behavior
The create_distribution() call should not throw
InvalidOrigin
Error when passing theOriginAccessControlId
.The
S3OriginConfig
key (related to OAI) shouldn't be required to pass ifOriginAccessControlId
(related to OAC) is being passed.Current Behavior
The create_distribution() call is throwing
InvalidOrigin
Error when passing theOriginAccessControlId
.The
S3OriginConfig
has to be passed even if OAI is not being used to successfully create the CF distribution.Reproduction Steps
Execute the the code snippet mentioned above.
Possible Solution
No response
Additional Information/Context
No response
SDK version used
1.28.15
Environment details (OS name and version, etc.)
Debian 11, python 3.9
The text was updated successfully, but these errors were encountered: