:doc:`CloudFront <../../cloudfront>` / Client / create_cloud_front_origin_access_identity

*****************************************
create_cloud_front_origin_access_identity
*****************************************



.. py:method:: CloudFront.Client.create_cloud_front_origin_access_identity(**kwargs)

  

  Creates a new origin access identity. If you're using Amazon S3 for your origin, you can use an origin access identity to require users to access your content using a CloudFront URL instead of the Amazon S3 URL. For more information about how to use origin access identities, see `Serving Private Content through CloudFront <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html>`__ in the *Amazon CloudFront Developer Guide*.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cloudfront-2020-05-31/CreateCloudFrontOriginAccessIdentity>`_  


  **Request Syntax**
  ::

    response = client.create_cloud_front_origin_access_identity(
        CloudFrontOriginAccessIdentityConfig={
            'CallerReference': 'string',
            'Comment': 'string'
        }
    )
    
  :type CloudFrontOriginAccessIdentityConfig: dict
  :param CloudFrontOriginAccessIdentityConfig: **[REQUIRED]** 

    The current configuration information for the identity.

    

  
    - **CallerReference** *(string) --* **[REQUIRED]** 

      A unique value (for example, a date-time stamp) that ensures that the request can't be replayed.

       

      If the value of ``CallerReference`` is new (regardless of the content of the ``CloudFrontOriginAccessIdentityConfig`` object), a new origin access identity is created.

       

      If the ``CallerReference`` is a value already sent in a previous identity request, and the content of the ``CloudFrontOriginAccessIdentityConfig`` is identical to the original request (ignoring white space), the response includes the same information returned to the original request.

       

      If the ``CallerReference`` is a value you already sent in a previous request to create an identity, but the content of the ``CloudFrontOriginAccessIdentityConfig`` is different from the original request, CloudFront returns a ``CloudFrontOriginAccessIdentityAlreadyExists`` error.

      

    
    - **Comment** *(string) --* **[REQUIRED]** 

      A comment to describe the origin access identity. The comment cannot be longer than 128 characters.

      

    
  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'CloudFrontOriginAccessIdentity': {
              'Id': 'string',
              'S3CanonicalUserId': 'string',
              'CloudFrontOriginAccessIdentityConfig': {
                  'CallerReference': 'string',
                  'Comment': 'string'
              }
          },
          'Location': 'string',
          'ETag': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 

      The returned result of the corresponding request.

      
      

      - **CloudFrontOriginAccessIdentity** *(dict) --* 

        The origin access identity's information.

        
        

        - **Id** *(string) --* 

          The ID for the origin access identity, for example, ``E74FTE3AJFJ256A``.

          
        

        - **S3CanonicalUserId** *(string) --* 

          The Amazon S3 canonical user ID for the origin access identity, used when giving the origin access identity read permission to an object in Amazon S3.

          
        

        - **CloudFrontOriginAccessIdentityConfig** *(dict) --* 

          The current configuration information for the identity.

          
          

          - **CallerReference** *(string) --* 

            A unique value (for example, a date-time stamp) that ensures that the request can't be replayed.

             

            If the value of ``CallerReference`` is new (regardless of the content of the ``CloudFrontOriginAccessIdentityConfig`` object), a new origin access identity is created.

             

            If the ``CallerReference`` is a value already sent in a previous identity request, and the content of the ``CloudFrontOriginAccessIdentityConfig`` is identical to the original request (ignoring white space), the response includes the same information returned to the original request.

             

            If the ``CallerReference`` is a value you already sent in a previous request to create an identity, but the content of the ``CloudFrontOriginAccessIdentityConfig`` is different from the original request, CloudFront returns a ``CloudFrontOriginAccessIdentityAlreadyExists`` error.

            
          

          - **Comment** *(string) --* 

            A comment to describe the origin access identity. The comment cannot be longer than 128 characters.

            
      
    
      

      - **Location** *(string) --* 

        The fully qualified URI of the new origin access identity just created.

        
      

      - **ETag** *(string) --* 

        The current version of the origin access identity created.

        
  
  **Exceptions**
  
  *   :py:class:`CloudFront.Client.exceptions.MissingBody`

  
  *   :py:class:`CloudFront.Client.exceptions.TooManyCloudFrontOriginAccessIdentities`

  
  *   :py:class:`CloudFront.Client.exceptions.InconsistentQuantities`

  
  *   :py:class:`CloudFront.Client.exceptions.CloudFrontOriginAccessIdentityAlreadyExists`

  
  *   :py:class:`CloudFront.Client.exceptions.InvalidArgument`

  