AWS S3 bucket error - The parameter Origin DomainName does not refer to a valid S3 bucket

Avatar
Rahul Panchal
  • Updated

Introduction

Problem

Sometimes users are unable to configure a Amazon CloudFront VPC origin with an Application Load Balancer (ALB) using Terraform.

Terraform apply operations fails with the following error:

InvalidArgument: The parameter Origin DomainName does not refer to a valid S3 bucket

Additionally, the affected CloudFront distributions incorrectly shows the origin type as S3 instead of VPC, indicating a misconfigured origin block.

This prevents successful deployment of CloudFront distributions using an ALB attached via VPC origin.

 

Cause

The issue could be caused by incorrect Terraform configuration of the CloudFront origin block.

Key Misconfigurations Identified:

  1. Incorrect placement of vpc_origin_id

    • The vpc_origin_id attribute is defined at the wrong level.

    • It must be nested under the required vpc_origin_config block.

  2. Unsupported arguments used

    • subnet_ids and security_group_ids were passed to the aws_cloudfront_vpc_origin resource.

    • These attributes were not supported in the deployed provider version.

  3. Schema requirement for domain_name

    • CloudFront requires a domain_name attribute in the origin block schema.

    • If omitted or misconfigured, CloudFront defaults to validating against S3, resulting in the “Invalid S3 bucket” error.

Version Validation

  • AWS Provider version used: v6.12.0 (Supported)

  • CloudFront module upgraded to: v5.0.0 (Supported)

  • Verified provider compatibility requirement: ≥ v5.82

  • Verified module compatibility requirement: ≥ v4.0.0

The root cause is purely configuration-related, not a provider or AWS service issue.

 

Solutions:

The following corrective actions should resolve the issue:

1️⃣ Corrected Origin Block Syntax

Ensure that vpc_origin_id is properly nested:

origin {
  domain_name = "placeholder.example.com" # Required by schema
  origin_id   = "my-vpc-origin"

  vpc_origin_config {
    vpc_origin_id = aws_cloudfront_vpc_origin.example.id
  }
}

2️⃣ Removed Unsupported Attributes

Remove the following unsupported arguments from the aws_cloudfront_vpc_origin resource:

# Removed:
subnet_ids
security_group_ids

3️⃣ Added Placeholder domain_name

A placeholder value should be added for domain_name:

  • Required by CloudFront schema

  • Ignored at runtime when using VPC origins

  • Prevents S3 validation error

4️⃣ Verified Provider & Module Versions

Confirme :

  • AWS Provider ≥ v5.82

  • CloudFront Module ≥ v4.0.0

 

Outcome

After applying the corrected configuration:

  • Terraform apply completed successfully.

  • CloudFront distribution correctly recognized the origin as a VPC origin.

  • ALB was successfully attached as the distribution origin.

  • No further InvalidArgument or S3 validation errors occurred.

The issue was fully resolved through configuration correction without requiring infrastructure changes or AWS-side intervention.

Articles in this section

See more

Related articles