Question:
I’m using the AWS CLI to create a CloudFront distribution in a script:
|
1 2 3 |
aws configure set preview.cloudfront true aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*' |
I have a policy set up with this statement:
|
1 2 3 4 5 6 7 8 9 10 11 |
{ "Sid": "xxx", "Effect": "Allow", "Action": [ "cloudfront:CreateInvalidation" ], "Resource": [ "arn:aws:cloudfront::xxx:distribution/ABCD1234" ] } |
The policy is attached to the user that is running the command. However, I still get this error:
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
Answer:
The problem is that CloudFront can’t work with a policy that specifies a resource. “Widening” the policy fixes the error.
This support thread states:
CloudFront does not support Resource-Level permissions for IAM.
It’s also buried in the documentation for CloudFront:
|
1 2 3 4 |
Operation: POST Invalidation (CreateInvalidation) Required Permissions: cloudfront:CreateInvalidation Resources: * |
That means the policy needs to be:
|
1 2 3 4 5 6 7 8 9 10 11 |
{ "Sid": "xxx", "Effect": "Allow", "Action": [ "cloudfront:CreateInvalidation" ], "Resource": [ "*" <-- must be a wildcard ] } |