AWS Scala Stream Collector and Javascript Tracker resulting in 405 & 403 errors

Hi everyone! I’m brand new to Snowplow and am having a little trouble deploying the Scala Stream Collector and JavaScript tracker successfully.

I have the collector running on its own EC2 instance via Docker Container, and that returns an OK response when I do a health check. The JavaScript tracker is hosted in S3 and delivered via CloudFront. However, when I check via browser whether the tracker is sending events to the collector, I’m met with the following error:

POST https://{{my cloudfront subdomain}}.cloudfront.net/3.0.3/{{tracker}}.js/com.snowplowanalytics.snowplow/tp2 405

It seems the POST method is not allowed, either by my tracker’s CloudFront distribution or by the underlying S3 bucket. I’ve tried many different permissions configurations to enable this, but haven’t been able to make it work.

On the S3 bucket, I’ve granted wide-open S3 permissions to an Origin Access Identity that’s associated with the bucket’s Cloudfront Distribution using the following Bucket policy:

{
"Version": "2012-10-17",
"Id": "{{Policy-Name}}",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity {{Origin-Access-ID-#}}"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::{{bucket-name}}/3.0.3/{{tracker-name}}.js"
    }
]
}

I’m also using the following CORS policy on the bucket:

[
{
    "AllowedHeaders": [
        "*"
    ],
    "AllowedMethods": [
        "PUT",
        "POST",
        "DELETE",
        "GET",
        "HEAD"
    ],
    "AllowedOrigins": [
        "http://www.{{my-domain}}.com",
        "https://www.{{my-domain}}.com",
        "http://{{my-domain}}.com",
        "https://{{my-domain}}.com"
    ],
    "ExposeHeaders": []
}
]

The last S3 thing that may be relevant is my Access control list (ACL), which is currently set for the entire bucket as follows:

I wonder if it’s as simple as enabling Write access for the “Everyone” group? However when I try to do so via the AWC console, that option is greyed out and is only possible via CLI.

I’ll also note that I have granted Read permissions for my tracker js file to the “Everyone (Public Access)” grantee for both the Object and the Object ACL.

Moving on to the CloudFront Distribution’s Behavior settings, I’ve set the Viewer Protocol Policy to “Redirect HTTP to HTTPS”, and for Allowed HTTP Methods I’ve selected “Get, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.” This being the case, I don’t understand why the “POST” method is not allowed.

Last thing: out of curiosity, I changed the “eventMethod” in the tracker snippet on my webpage from “POST” to “GET.” This eliminated the 405 error, but replaced it with a 403 error. I won’t post the error message here (unless requested) because it’s almost 2000 characters long. But it looks like the tracker is trying to pass all the session details on to the collector via the cloudfront url before facing the access denied error. Not sure if this is a separate issue or is related to the 405 error, but I wanted to be thorough so I’m bringing it up.

@samurijv2, I think there is a misconception here. Your tracker is meant to be embedded in your web application. The tracker would fire events on your webpages and send the events to your collector URI, not the hosted URI of the tracker. What is the URI of your collector?

That cleared it up completely, thank you. I was using the tracker URI where I should have been using the collector URI. Problem solved! I appreciate the help.