Alchemy

Appearance

CloudFrontOriginAccessIdentity ​

The CloudFrontOriginAccessIdentity resource allows you to create and manage AWS CloudFront Origin Access Identitites which are used to securely serve content from your Amazon S3 buckets through CloudFront.

Minimal Example ​

Create a basic CloudFront Origin Access Identity with required properties:

ts
import AWS from "alchemy/aws/control";

const originAccessIdentity = await AWS.CloudFront.CloudFrontOriginAccessIdentity("basicOriginAccessIdentity", {
  CloudFrontOriginAccessIdentityConfig: {
    Comment: "My origin access identity for secure content delivery"
  }
});

Advanced Configuration ​

Configure a CloudFront Origin Access Identity with an optional comment for better management:

ts
const advancedOriginAccessIdentity = await AWS.CloudFront.CloudFrontOriginAccessIdentity("advancedOriginAccessIdentity", {
  CloudFrontOriginAccessIdentityConfig: {
    Comment: "Origin access identity for my application resources"
  },
  adopt: true // Adopt existing resource if it already exists
});

Usage with S3 Bucket Policy ​

Set up an S3 bucket policy that grants read permissions to the CloudFront Origin Access Identity:

ts
import AWS from "alchemy/aws/control";

const myBucketPolicy = {
  Version: "2012-10-17",
  Statement: [{
    Effect: "Allow",
    Principal: {
      AWS: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${originAccessIdentity.Arn}`
    },
    Action: "s3:GetObject",
    Resource: "arn:aws:s3:::my-secure-bucket/*"
  }]
};

const s3BucketPolicy = await AWS.S3.BucketPolicy("myBucketPolicy", {
  Bucket: "my-secure-bucket",
  Policy: JSON.stringify(myBucketPolicy)
});

Updating an Existing Identity ​

Update an existing CloudFront Origin Access Identity to modify its comment:

ts
const updatedOriginAccessIdentity = await AWS.CloudFront.CloudFrontOriginAccessIdentity("updateOriginAccessIdentity", {
  CloudFrontOriginAccessIdentityConfig: {
    Comment: "Updated comment for origin access identity"
  },
  adopt: true // Ensure it adopts the existing resource
});

Deleting an Identity ​

Delete a CloudFront Origin Access Identity when it is no longer needed:

ts
const deleteOriginAccessIdentity = await AWS.CloudFront.CloudFrontOriginAccessIdentity("deleteOriginAccessIdentity", {
  CloudFrontOriginAccessIdentityConfig: {
    Comment: "Identity to be deleted"
  },
  adopt: false // Do not adopt existing resource; fail if it exists
});