No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Screen Shot 2022-08-30 at 00.29.04.png

okay, this is actually AWS creating a magic button to create a whole bunch of resources in the background. They don’t expose this via their API as a single setting, it’s actually a bucket policy.

there’s an example in typescript here: <https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/s3-cloudfront/index.ts>

&gt; okay, this is actually AWS creating a magic button to create a whole bunch of resources in the background. They don’t expose this via their API as a single setting, it’s actually a bucket policy.
I understand for the “access control settings”. But what about “legacy access identities”?
Also wonder what is `origin_id`

&gt; there’s an example in typescript here: <https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/s3-cloudfront/index.ts>
thanks, looking now, helps a lot

I see from your typescript example you need to apply a special policy to the bucket. Will try that

Even better, the example in Python in my case:

<https://github.com/jaxxstorm/pulumi-examples/blob/main/python/aws/s3_bucket_cloudfront/__main__.py>

FYI, OAC was just announced <https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cloudfront-origin-access-control/>

If your bucket uses SSE, you need to use AES256, KMS doesn't work with OAI

OAC isn’t in the cloud control API or terraform yet :disappointed: