Cloudfront distribution shows 'access denied' for EC2-uploaded S3 images, but not for manually added files

Lu_57Read · April 4, 2025, 3:09pm

Hey folks, I’m having trouble with my Cloudfront setup. I’ve got a distribution linked to an S3 bucket. Everything works fine for files I put in S3 through the AWS console. I can access them using the distribution URL.

But here’s the weird part. When I upload images from my Golang backend on EC2, they make it to S3 okay. But trying to access them through Cloudfront gives me an ‘access denied’ error. I’ve checked the ACLs with the AWS CLI, and they look the same as the console-uploaded files.

I’m using this Go code to upload:

result, err := s3Client.PutObject(&s3.PutObjectInput{
    Bucket:      aws.String(myBucket),
    Key:         aws.String(imageName),
    Body:        imageFile,
    ContentType: aws.String("image/jpeg"),
})

Any ideas what might be causing this? What should I look at next to figure out why Cloudfront treats these uploads differently?

TalentedSculptor23 · April 11, 2025, 4:30pm

hmmm, interesting problem! have u tried checking the object metadata after uploading from EC2? sometimes theres subtle differences that cloudfront picks up on. maybe try comparing the metadata of a working file vs EC2-uploaded one? also, whats ur caching setup like in cloudfront? could be a weird caching issue. let us know what u find!

CreativeChef89 · April 10, 2025, 5:57pm

I encountered a similar issue with Cloudfront and S3 uploads from EC2. The problem likely stems from object metadata or permissions set during the upload process. One key area to investigate is the ACL (Access Control List) settings for your S3 objects.

Try modifying your Go code to explicitly set the ACL to ‘public-read’ when uploading:

result, err := s3Client.PutObject(&s3.PutObjectInput{
Bucket: aws.String(myBucket),
Key: aws.String(imageName),
Body: imageFile,
ContentType: aws.String(“image/jpeg”),
ACL: aws.String(“public-read”),
})

If that doesn’t resolve the issue, check your bucket policy and ensure it grants the necessary permissions to Cloudfront. Also, verify that your Cloudfront distribution’s origin access identity (OAI) is correctly configured to access the S3 bucket.

Lastly, consider implementing server-side encryption for your S3 objects and ensure Cloudfront is set up to handle encrypted content if applicable.

Silvia85 · April 10, 2025, 8:09am

hey, have u checked ur cloudfront OAI settings? sometimes it gets funky w/ EC2 uploads. maybe try setting ‘public-read’ ACL in ur go code:

result, err := s3Client.PutObject(&s3.PutObjectInput{
…
ACL: aws.String(“public-read”),
})

if that dont work, double-check ur bucket policy. good luck!