ertius.org

`us-east-1` is special, part 9000

#aws #s3 #us-east-1 #techdebt

One specific hitch along the way was that I'd set up Cloudfront to use an S3 backend as an origin, but accessing the Cloudfront url triggered a redirect to an S3 url, which of course 403ed.

Fortunately my google search for a vague description of the problem found an extremely helpful github issues post in reply to someone else with the same problem:

This won't be a problem in Us-east-1, but only all other regions. So instead of the default s3 global dns endpoint (mybucket.s3.amazonaws.com) you can change it to use mybucket.s3..amazonaws.com.

The reason for this issue is that the DNS propagation for other region specific DNS entries is immediate, but the global "s3.amazonaws.com" takes some time. CloudFront and S3 don't pick up on this being available yet after deploying, but give it about 12-24 hours and it sorts itself out.

So, the fix is to explicitly use the regional endpoint for the S3 bucket, which is available as !GetAtt S3BucketForWebsiteContent.RegionalDomainName in the CF template:

Origins:
  - Id: S3Origin
    # has to be the *regional* name to avoid https://github.com/amazon-connect/voicemail-for-amazon-connect/issues/84 - cloudfront redirecting to https://bucketname.s3.eu-west-2.amazonaws.com/index.html
    DomainName: !GetAtt S3BucketForWebsiteContent.RegionalDomainName

It was also a good reminder that S3 buckets are in a global namespace.