cloudfront.create_distribution() throws 'InvalidOrigin' error when 'S3OriginConfig' key is not supplied in the distribution config even when OriginAccessControlId is supplied

[diningPhilosopher64]

Describe the bug

Problem 1

I'm trying to create a cloudfront distribution with S3 as the origin. As recommended, I'm using Origin Access Control(OAC) instead of Origin Access Identity(OAI).

For this:

1. Create OAC using the create_origin_access_control() API.
2. Pass the Id of the OAC to the OriginAccessControlId key to the Origin value (in the config) when creating the distribution.

The create_distribution() call would return an InvalidOrigin error even when I supply the correct S3 bucket domain name:
my-bucket-name.s3.us-east-1.amazonaws.com

But, if I pass S3OriginConfig key, with the value of OriginAccessIdentity set to an empty string, creation is successful.

cloudfront = boto3.client("cloudfront")
try:
    cloudfront.create_distribution(DistributionConfig={
            "CallerReference": "1234",
            "DefaultRootObject": "index.html",
            "Origins": {
                "Quantity": 1,
                "Items":[
                        {
                            "Id": "asdf" ,                         
                            "DomainName": "my-bucket-name.s3.us-east-1.amazonaws.com",
                           # ID of the Origin Access Control created in step 1 
                            "OriginAccessControlId": "Id-of-origin-access-control",
                            ####   If the below code is un-commented the creation would be successful.
                            # "S3OriginConfig":{
                            #     "OriginAccessIdentity": ""
                            #     },
                        },

                    ]
            },
            'DefaultCacheBehavior': {
                'TargetOriginId': "asdf",
                'ViewerProtocolPolicy': 'https-only',
                'AllowedMethods': {
                    'Quantity': 2,
                    'Items': ['GET', 'HEAD']
                },
                'ForwardedValues': {
                    'QueryString': False,
                    'Cookies': {'Forward': 'none'}
                },
                'TrustedSigners': {
                    'Enabled': False,
                    'Quantity': 0
                },
                'MinTTL': 0
            },
            'Enabled': True,
            # 'WebACLId': web_acl_id,
            'HttpVersion': 'http2',
        'PriceClass': 'PriceClass_All',
        'IsIPV6Enabled': True,
        "Comment": "Hello world"
    })

except iam.exceptions.ClientError as err:
    print(err)

If the below snippet is left commented, I see the InvalidOrigin error. Upon uncommenting, it successfully creates the cloudfront distribution.

"S3OriginConfig":{
  "OriginAccessIdentity": ""
},

It doesn't even need a valid value for the key OriginAccessIdentity. Just leaving it empty would successfully create the distribution.

The strange thing is the created distribution would associate the OAC ID to the origin correctly and ignore the OAI value passed to OriginAccessIdentity.

There seems to be some kind of a dependency between the keys S3OriginConfig and OriginAccessControlId.

Problem 2

The WebACLId field in the DistributionConfig takes the Web ACL ARN and not its ID!
If I pass the Web ACL ID I get the following error:
An error occurred (InvalidWebACLId) when calling the CreateDistribution operation: Web ACL is not accessible by the requester.

And when I pass its ARN, I'm able to create the distribution successfully.

The WebACLId needs to be updated to WebACLArn or atleast the documentation should reflect this!

Expected Behavior

The create_distribution() call should not throw InvalidOrigin Error when passing the OriginAccessControlId.

The S3OriginConfig key (related to OAI) shouldn't be required to pass if OriginAccessControlId (related to OAC) is being passed.

Current Behavior

The create_distribution() call is throwing InvalidOrigin Error when passing the OriginAccessControlId.

The S3OriginConfig has to be passed even if OAI is not being used to successfully create the CF distribution.

Reproduction Steps

Execute the the code snippet mentioned above.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.28.15

Environment details (OS name and version, etc.)

Debian 11, python 3.9

[tim-finnigan]

Hi @diningPhilosopher64 thanks for reaching out. Could you share your debug logs (with sensitive info redacted) by adding boto3.set_stream_logger('') to your script? That would help with further investigation of the issue.

The boto3 create_distribution command maps to the CloudFront CreateDistribution API, so this could be an underlying API issue that we would need to escalate to the service team.

[diningPhilosopher64]

@tim-finnigan , this is the gist for the source code and the debug log

Thanks!

[tim-finnigan]

Thanks @diningPhilosopher64 for following up. It looks like the S3OriginConfig parameter is required here because the origin is an S3 bucket. I found a related issue in Stack Overflow from a few years ago coming to the same conclusion that you need to pass an empty string for OriginAccessIdentity.

Here is documentation that adds some more context:

https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_Origin.html#cloudfront-Type-Origin-S3OriginConfig

Use this type to specify an origin that is an Amazon S3 bucket that is not configured with static website hosting. To specify any other type of origin, including an Amazon S3 bucket that is configured with static website hosting, use the CustomOriginConfig type instead.

https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_S3OriginConfig.html

If you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.

To delete the origin access identity from an existing distribution, update the distribution configuration and include an empty OriginAccessIdentity element.

Perhaps the wording describing this API behavior could be improved — we recommend using the Provide feedback links at the bottom of those documentation pages to send feedback directly to the S3 documentation team. When the API documentation gets updated upstream, those changes are imported into the SDK documentation.

[diningPhilosopher64]

Thanks @tim-finnigan , I'll provide feedback in the link you mentioned. Can also please look into Problem 2 mentioned in the description ?

[tim-finnigan]

Hi @diningPhilosopher64 thanks for following up. Regarding the second problem you mentioned, the documentation notes:

WebACLId (string) –

A unique identifier that specifies the WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.

Based on that, it is expected behavior that either an ARN or ID could be accepted depending on if you're using WAF or WAF Classic. As with the other issue, if you think the wording here is unclear or inaccurate then we recommend reaching out through the Provide feedback at the bottom of the API documentation page.

[diningPhilosopher64]

Makes sense!