diff --git a/endpoints/verbs/__init__.py b/endpoints/verbs/__init__.py
index 6ca94eb81..41aec4671 100644
--- a/endpoints/verbs/__init__.py
+++ b/endpoints/verbs/__init__.py
@@ -5,7 +5,7 @@ from flask import redirect, Blueprint, abort, send_file, make_response, request
 
 import features
 
-from app import app, signer, storage, metric_queue, license_validator
+from app import app, signer, storage, metric_queue, license_validator, config_provider, ip_resolver
 from auth.auth_context import get_authenticated_user
 from auth.decorators import process_auth
 from auth.permissions import ReadRepositoryPermission
@@ -48,7 +48,7 @@ def _open_stream(formatter, repo_image, tag, derived_image_id, handlers):
 
   def get_next_layer():
     # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
-    store = Storage(app, metric_queue)
+    store = Storage(app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver)
     for current_image in image_list:
       current_image_path = model.get_blob_path(current_image.blob)
       current_image_stream = store.stream_read_file(current_image.blob.locations,
@@ -97,7 +97,7 @@ def _write_derived_image_to_storage(verb, derived_image, queue_file):
   queue_file.add_exception_handler(handle_exception)
 
   # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
-  store = Storage(app, metric_queue)
+  store = Storage(app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver)
   image_path = model.get_blob_path(derived_image.blob)
   store.stream_write(derived_image.blob.locations, image_path, queue_file)
   queue_file.close()
diff --git a/storage/cloud.py b/storage/cloud.py
index 4acebe5e3..9064642c1 100644
--- a/storage/cloud.py
+++ b/storage/cloud.py
@@ -613,9 +613,15 @@ class CloudFrontedS3Storage(S3Storage):
 
   def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False,
                               head=False):
+    # If CloudFront could not be loaded, fall back to normal S3.
+    if self.cloudfront_privatekey is None:
+      return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip,
+                                                                        expires_in, requires_cors,
+                                                                        head)
+      
     resolved_ip_info = None
     logger.debug('Got direct download request for path "%s" with IP "%s"', path, request_ip)
-    if request_ip is not None:
+    if request_ip is not None and self._context.ip_resolver is not None:
       # Lookup the IP address in our resolution table and determine whether it is under AWS. If it is,
       # then return an S3 signed URL, since we are in-network.
       resolved_ip_info = self._context.ip_resolver.resolve_ip(request_ip)
@@ -652,6 +658,9 @@ class CloudFrontedS3Storage(S3Storage):
     """ Returns the private key, loaded from the config provider, used to sign direct
         download URLs to CloudFront.
     """
+    if self._context.config_provider is None:
+      return None
+
     with self._context.config_provider.get_volume_file(cloudfront_privatekey_filename) as key_file:
         return serialization.load_pem_private_key(
             key_file.read(),