:doc:`CloudFront <../../cloudfront>` / Client / update_origin_access_control

****************************
update_origin_access_control
****************************



.. py:method:: CloudFront.Client.update_origin_access_control(**kwargs)

  

  Updates a CloudFront origin access control.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cloudfront-2020-05-31/UpdateOriginAccessControl>`_  


  **Request Syntax**
  ::

    response = client.update_origin_access_control(
        OriginAccessControlConfig={
            'Name': 'string',
            'Description': 'string',
            'SigningProtocol': 'sigv4',
            'SigningBehavior': 'never'|'always'|'no-override',
            'OriginAccessControlOriginType': 's3'|'mediastore'|'mediapackagev2'|'lambda'
        },
        Id='string',
        IfMatch='string'
    )
    
  :type OriginAccessControlConfig: dict
  :param OriginAccessControlConfig: **[REQUIRED]** 

    An origin access control.

    

  
    - **Name** *(string) --* **[REQUIRED]** 

      A name to identify the origin access control. You can specify up to 64 characters.

      

    
    - **Description** *(string) --* 

      A description of the origin access control.

      

    
    - **SigningProtocol** *(string) --* **[REQUIRED]** 

      The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is ``sigv4``.

      

    
    - **SigningBehavior** *(string) --* **[REQUIRED]** 

      Specifies which requests CloudFront signs (adds authentication information to). Specify ``always`` for the most common use case. For more information, see `origin access control advanced settings <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings>`__ in the *Amazon CloudFront Developer Guide*.

       

      This field can have one of the following values:

       

      
      * ``always`` – CloudFront signs all origin requests, overwriting the ``Authorization`` header from the viewer request if one exists.
       
      * ``never`` – CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.
       
      * ``no-override`` – If the viewer request doesn't contain the ``Authorization`` header, then CloudFront signs the origin request. If the viewer request contains the ``Authorization`` header, then CloudFront doesn't sign the origin request and instead passes along the ``Authorization`` header from the viewer request. WARNING: To pass along the ``Authorization`` header from the viewer request, you *must* add the ``Authorization`` header to a `cache policy <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html>`__ for all cache behaviors that use origins associated with this origin access control.
      

      

    
    - **OriginAccessControlOriginType** *(string) --* **[REQUIRED]** 

      The type of origin that this origin access control is for.

      

    
  
  :type Id: string
  :param Id: **[REQUIRED]** 

    The unique identifier of the origin access control that you are updating.

    

  
  :type IfMatch: string
  :param IfMatch: 

    The current version ( ``ETag`` value) of the origin access control that you are updating.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'OriginAccessControl': {
              'Id': 'string',
              'OriginAccessControlConfig': {
                  'Name': 'string',
                  'Description': 'string',
                  'SigningProtocol': 'sigv4',
                  'SigningBehavior': 'never'|'always'|'no-override',
                  'OriginAccessControlOriginType': 's3'|'mediastore'|'mediapackagev2'|'lambda'
              }
          },
          'ETag': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **OriginAccessControl** *(dict) --* 

        The origin access control after it has been updated.

        
        

        - **Id** *(string) --* 

          The unique identifier of the origin access control.

          
        

        - **OriginAccessControlConfig** *(dict) --* 

          The origin access control.

          
          

          - **Name** *(string) --* 

            A name to identify the origin access control. You can specify up to 64 characters.

            
          

          - **Description** *(string) --* 

            A description of the origin access control.

            
          

          - **SigningProtocol** *(string) --* 

            The signing protocol of the origin access control, which determines how CloudFront signs (authenticates) requests. The only valid value is ``sigv4``.

            
          

          - **SigningBehavior** *(string) --* 

            Specifies which requests CloudFront signs (adds authentication information to). Specify ``always`` for the most common use case. For more information, see `origin access control advanced settings <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings>`__ in the *Amazon CloudFront Developer Guide*.

             

            This field can have one of the following values:

             

            
            * ``always`` – CloudFront signs all origin requests, overwriting the ``Authorization`` header from the viewer request if one exists.
             
            * ``never`` – CloudFront doesn't sign any origin requests. This value turns off origin access control for all origins in all distributions that use this origin access control.
             
            * ``no-override`` – If the viewer request doesn't contain the ``Authorization`` header, then CloudFront signs the origin request. If the viewer request contains the ``Authorization`` header, then CloudFront doesn't sign the origin request and instead passes along the ``Authorization`` header from the viewer request. WARNING: To pass along the ``Authorization`` header from the viewer request, you *must* add the ``Authorization`` header to a `cache policy <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html>`__ for all cache behaviors that use origins associated with this origin access control.
            

            
          

          - **OriginAccessControlOriginType** *(string) --* 

            The type of origin that this origin access control is for.

            
      
    
      

      - **ETag** *(string) --* 

        The new version of the origin access control after it has been updated.

        
  
  **Exceptions**
  
  *   :py:class:`CloudFront.Client.exceptions.PreconditionFailed`

  
  *   :py:class:`CloudFront.Client.exceptions.AccessDenied`

  
  *   :py:class:`CloudFront.Client.exceptions.OriginAccessControlAlreadyExists`

  
  *   :py:class:`CloudFront.Client.exceptions.NoSuchOriginAccessControl`

  
  *   :py:class:`CloudFront.Client.exceptions.IllegalUpdate`

  
  *   :py:class:`CloudFront.Client.exceptions.InvalidArgument`

  
  *   :py:class:`CloudFront.Client.exceptions.InvalidIfMatchVersion`

  