Check out a free preview of the full AWS For Front-End Engineers, v2 course:
The "OAI" Lesson is part of the full, AWS For Front-End Engineers, v2 course featured in this preview video. Here's what you'd learn in this lesson:

Steve configures the Origin Access Identity (OAI) so access to the S3 bucket is limited to CloudFront. This ensures the bucket cannot be directly accessed publically. All request must come through CloudFront.

Get Unlimited Access Now

Transcript from the "OAI" Lesson

>> One of those points about CloudFront is that it will stop things from going to your s3 bucket, so that theoretically you're not paying for the requests. I think when we did the version of course a few years ago, yeah, but you're serving this stuff, so on and so forth.

[00:00:16] There is a new feature in CloudFront called origin access identity, but it is basically saying, hey, S3 bucket, I'm cloud front. I'm gonna get stuff out of here, nobody else is allowed to, all right, and it will go ahead and do it for you. And so that way we can actually go back to locking down the bucket completely, but also have cloud front have access to the bucket.

[00:00:43] So CloudFront can pull stuff out of s3 bucket, nobody else can, thereby making sure as few requests get to that bucket as possible. So we're gonna go ahead and we're going to basically lock down the bucket, turn this on. Now the one thing I will warn you as we kind of get into this section is, because everything is distributed and because it has to propagate.

[00:01:06] Some of this stuff takes time, right, so we might end up in a situation we try something it doesn't work. We have to adjust it, some of it is issue, it's a little bit of a fine art to develop the spiritual apparatus to understand. Is my hunch that it's not working cuz I messed up a setting, cuz messing up the smallest setting will bring it down.

[00:01:29] Or do I just need to be a teensy bit more patient, so we'll figure that out as a team. But also, I'm sure through the magic of video editing, if you're watching this later, it might seem like stuff moves a lot faster. So kind of is also a mental note, if you're watching the recorded version of this that some of the stuff you do need to kind of give it a second.

[00:01:50] It is phenomenally faster than it was a few years ago. A few years ago, we were talking more like 5 to 10 minutes, now it's closer to 30 to 60 seconds for most things. But you just have to be mentally prepared for that as well. So before, the way we had was working with our CloudFront can wrap anything, it can wrap an s3 bucket, that's totally cool.

[00:02:12] It can take your API endpoints that are hosted, either on an Amazon EC two instance, API gateway, your own data centers, so on and so forth. You can just point out something, it'll pass through CloudFront and CloudFront will do all that caching, right? But we can't have it work in the s3 bucket as well, so we were just using the website that we were hosting.

[00:02:34] We can also, we can switch it to that bucket, right, like I said, just clicking on this from the drop down menu. I think we were joking during one of the breaks, there are still blog posts out there saying, whatever you do, don't pick that unless you do this.

[00:02:47] So we know that's the base one, and that'll work and then we can turn on this, give it access to the s3 bucket. Because what happened, what used to happen previously is you just pick that. But it didn't have all of that kinda principle of least privilege and stuff like that, it was a cool, I can't get anything, I can get you an error message.

[00:03:09] Thank you, CloudFront, that was very helpful of you, I'm really glad. So here we can say, okay, use this bucket and then we will restrict access only to CloudFront. So we can go ahead, we can use what user effectively that's going to create, it's not really a full IM user, it's a origin access identity.

[00:03:35] Hit Create for new one, have got that in place. Now I'm gonna warn you, ideally, you would just wanna CloudFront update the buckets access policy. I've done this a few times, 50% of the time it works every time, so we'll hit it. I'm gonna hit Save. And I did not get an error message, now you notice the pause in my voice, did anyone get an error message?

[00:04:11] So some people got an error message, not everyone, all right, let's talk about what to do. It'd be great if we all consistently got the error message or no one got the error message, but let's go for it. You can even see that when I tried to do it and it failed, I was ready with a meme, right?

[00:04:33] I was ready with a Thanos reference, so we can kind of go in and what we'll do is we'll look at the policy that we need to create. And then we'll go ahead and apply it in the case that it didn't work previously. So this is not much different than the policy that we set earlier, right?

[00:04:57] Before, we said, anything or anyone rather, was allowed to get things out of the bucket, right? When CloudFront made that OAI, it made some kind of identifier for it, right? And so all that we're going to do is we're going to go back over to our bucket and we're going to say.

[00:05:22] Okay, instead of anyone, only this one, only user can access the bucket, this user happens to be cloudfront. And cloudfront will then be able to access the bucket and nobody else will, which means if you want our sweet, sweet JavaScripts. You have to go through CloudFront to get it.

[00:05:42] Now one thing that I will point out, again, I don't it does not bring me joy is if you look, go back at this, that starts with an A, right? You go back to CloudFront and you see, this is the, yeah, this is this, that's your CloudFront distribution ID.

[00:06:04] That is not your origin access identity ID, to find that, just go over here to the sidebar to origin access identities. That is the one you are looking for. It is the different set of random letters and numbers that start with an A, they're roughly the same length and all caps.

[00:06:23] [LAUGH] Use the previous one, that is the wrong one, ask me how I know. Don't ask me how I know cuz a lot of anger in the answer, right? But this is the value that you want, and I'll give everyone a second to go do that, but what we wanna do is grab this, right?

[00:06:45] And you can head back into S3. Go find your bucket. Go to permissions, find your policy, in my case, I still need to come in here and delete the everyone one anyway. So you should join me here anyway, and basically, if it failed at putting it in there for you.

[00:07:16] You can either replace this star with this but your identifier, or if you got it put in there for you, then you can delete the everyone has access piece. I will leave these here for now, they're identical other than the fact that this one is saying, CloudFront has access, this one saying, everyone has access.

[00:07:42] So what we wanna do is we want to delete this one, we want to keep this one or add this one if we didn't have it. There's a version of that in the course notes as well, doesn't, it's just it's usually like it's auto generating them for you.

[00:08:00] You can also give them cute names like, you can make the sad cloud fronts OAI access. That's a really good name, [LAUGH] too, not super helpful, but yeah.
>> Yeah, it was interesting to me that it had the very specific string, and then just do for the auto generate?

>> Yeah, it's completely arbitrary, I would name it something that makes you happy.