Access Denied when creating CloudFront invalidation with AWS CLI


I’m using the AWS CLI to create a CloudFront distribution in a script:

I have a policy set up with this statement:

The policy is attached to the user that is running the command. However, I still get this error:

A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation


The problem is that CloudFront can’t work with a policy that specifies a resource. “Widening” the policy fixes the error.

This support thread states:

CloudFront does not support Resource-Level permissions for IAM.

It’s also buried in the documentation for CloudFront:

That means the policy needs to be:

Leave a Reply