aws
Access Denied when upgrading from PDK 0.25.13 to later version
Describe the bug
Hi We have been using PDK version 0.25.13. We encounter an issue with upgrading 0.25.13 to any later version of PDK.
We have a React front end that
- Allow the user to create a project
- After creating the project, redirect to /projects/{project-id}
The redirect will cause "Access Denied" error
This is the request with error from the browser
and the log from Cloudfront
2025-04-15 01:31:27 SYD62-P1 350 124.170.236.69 GET mydomain.cloudfront.net /projects/project-6129b5d0-cd2c-42a3-a8da-b8085987783b 403 https://mydomain.cloudfront.net/new-project Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error R8syZYk9oo8Ob6BdaAyke7BahEFsT0msxUUg5wcebj0sMUddtWJsEQ== mydomain.cloudfront.net https 69 0.012 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.012 Error application/xml - - -
2025-04-15 01:31:27 SYD62-P1 351 124.170.236.69 GET mydomain.cloudfront.net /favicon.ico 403 https://mydomain.cloudfront.net/projects/project-6129b5d0-cd2c-42a3-a8da-b8085987783b Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error yEaNi_eyFu1Kwhq9KDG85WYWOcEveLriPa_nL-N0xGcIVpUhNmPSaQ== mydomain.cloudfront.net https 36 0.013 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.013 Error application/xml - - -
2025-04-15 01:31:26 SYD62-P1 351 124.170.236.69 GET mydomain.cloudfront.net /projects/project-6129b5d0-cd2c-42a3-a8da-b8085987783b 403 https://mydomain.cloudfront.net/new-project Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error ibwK4aIc1pEtDkAWU1rGHH38ntRYjZxI0DxXJjFVQZ25sujb38nQ7w== mydomain.cloudfront.net https 77 0.049 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.049 Error application/xml - - -
2025-04-15 01:31:26 SYD62-P1 352 124.170.236.69 GET mydomain.cloudfront.net /favicon.ico 403 https://mydomain.cloudfront.net/projects/project-6129b5d0-cd2c-42a3-a8da-b8085987783b Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error N-RwkJrkAzTDTVtMwfG4SW_wrwqgThp7NN7h71tyBZrFO1DYvTpEUQ== mydomain.cloudfront.net https 36 0.029 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.029 Error application/xml - - -
2025-04-15 01:32:09 SYD62-P1 352 124.170.236.69 GET mydomain.cloudfront.net /projects/project-a2a2c7c7-99fe-4503-b2cc-c4d164082538 403 https://mydomain.cloudfront.net/new-project Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error La4XF7oXHztiMLIeFxq1I3dkdDXXAQ7JaJXlE6ds9O9fGzgRX4MlOw== mydomain.cloudfront.net https 67 0.033 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.033 Error application/xml - - -
2025-04-15 01:32:10 SYD62-P1 350 124.170.236.69 GET mydomain.cloudfront.net /favicon.ico 403 https://mydomain.cloudfront.net/projects/project-a2a2c7c7-99fe-4503-b2cc-c4d164082538 Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/135.0.0.0%20Safari/537.36%20Edg/135.0.0.0 - - Error wh8O77xElo6uN4YTalo0y8Z1Nh7gHzUu4LLW0lbbQRUH0f7doCoJPQ== mydomain.cloudfront.net https 102 0.028 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 64299 0.028 Error application/xml - - -
I suspect that it may have something to do with the introduction of OAC in static-website in version 0.25.14?
Thanks
Expected Behavior
Upgrading to version later than 0.25.13 and redeploying without issues
Current Behavior
Current system is based on 0.25.13. Upgrading to any version later than 0.25.13 and reployding will cause "Access Denied" issue as described above
Reproduction Steps
- Create a project using PDK 0.25.13
- In the React app, POST/GET any URL that is not the cloudfront root URL, for e.g.
http://domain.cloudfront.net/some-path - Access Denied happens
Possible Solution
No response
Additional Information/Context
No response
PDK version used
0.25.13
What languages are you seeing this issue on?
Typescript
Environment details (OS name and version, etc.)
Ubuntu 24.04.2
Hey @AlexTo!
As a workaround, I wonder if changing the logical id of your StaticWebsite construct will address this? It should ensure CloudFormation creates a new CloudFront distribution.
Cheers, Jack
@cogwirrel I think creating a new CloudFront distribution doesn't help. I created a new project from scratch with the latest version 0.26.6
I will have "access denied" from CloudFront if I put https://some-id.cloudfront.net/some-path directly into my browser
It's fine if I first go to the root at https://some-id.cloudfront.net/ and then navigate around in my React app.
So from a bit of digging it looks like with OAC CloudFront now responds with a 403 instead of a 404 when you request a resource that's missing in the bucket. For single-page apps, we need to return the same index.html page for missing resources, so need to map 403 errors just like we did for 404 errors.
As a workaround you can pass distributionProps to the StaticWebsite construct, eg:
const website = new StaticWebsite(this, id, {
...
distributionProps: {
errorResponses: [
// Redirect 404 and 403 to index.html for single page apps
{
httpStatus: 404,
responseHttpStatus: 200,
responsePagePath: `/index.html`,
},
{
httpStatus: 403,
responseHttpStatus: 200,
responsePagePath: `/index.html`,
},
]
},
});
I'll raise a PR to fix this in the construct itself soon! :)