I have a AWS Cloudformation stack, created in Python using Troposphere. I need to add OriginAccessIdentity to the S3 bucket access policy.
Amongst other things, I am importing the following:
from awacs.aws import (
Allow,
Policy,
AWSPrincipal,
Statement
)
Part of the stack creates a Cloudfront distribution, added a S3 Origin with just one associated cacheBehavior. This works fine, the Origin an behavior are created and can be seen in the AWS Cloudfront console.
I have used the following code to create an OriginAccessIdentity:
cloudfrontOriginAccessIdentity = t.add_resource(CloudFrontOriginAccessIdentity(
"cloudfrontOriginAccessIdentity",
CloudFrontOriginAccessIdentityConfig=CloudFrontOriginAccessIdentityConfig(
Comment = "React-Pattern-Origin-Access-Identity"
)
))
Again, this works fine and the OriginAccessIdentity is created and can be seen in the AWS Cloudfront console, and is associated with the Origin.
I am using the following code to create a S3BucketPolicy:
t.add_resource(s3.BucketPolicy(
"reactBucketPolicy",
Bucket=Ref("ParamS3BucketName"),
PolicyDocument=dict(
Statement=[dict(
Sid="reactBucketPolicyStatement01",
Effect="Allow",
Action=[
"s3:GetObject"
],
Principal=AWSPrincipal(["*"]),
Resource=[Join("", ["arn:aws:s3:::", Ref("ParamS3BucketName"), "/*"])],
)],
)
))
This too works fine, with the policy being generated and attached to the bucket - can be seen in the AWS S3 console.
The issue I am having is trying to replace
Principal=AWSPrincipal(["*"])
with
Principal=AWSPrincipal([<the_origin_access_identity>])
I have tried
Principal=AWSPrincipal([Join("", ["origin-access-identity/cloudfront/", "Ref(cloudfrontoriginaccessidentity)"])])
and
Principal=AWSPrincipal([Ref(cloudfrontoriginaccessidentity)])
but Cloudformation rejects the update, saying that the Principal is invalid.
What do I need to replace the * with in order to get Cloudformation to add my OriginAccessIdentity as the principal to the policy?
Replace this:
with this:
Replace this:
with this: