Menu
I'm using the AWS CLI to create a CloudFront distribution in a script:
aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'
I have a policy set up with this statement:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::xxx:distribution/ABCD1234"
]
}
The policy is attached to the user that is running the command. However, I still get this error:
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
307
If your distribution doesn't have a default root object defined, and a requester doesn't have s3:ListBucket access, then the requester receives an Access Denied error. The requester gets this error instead of a 404 Not Found error when they request the root of your distribution.
To resolve the Request Blocked error when the default action is Allow, review the requests to be sure that they don't match the conditions for any AWS WAF rules with Action set to Block. If valid requests match the conditions for a rule that blocks requests, then update the rule to allow the requests.
The problem is that CloudFront can't work with a policy that specifies a resource. "Widening" the policy fixes the error.
This support thread states:
CloudFront does not support Resource-Level permissions for IAM.
It's also buried in the documentation for CloudFront:
Operation: POST Invalidation (CreateInvalidation)
Required Permissions: cloudfront:CreateInvalidation
Resources: *
That means the policy needs to be:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"*" <-- must be a wildcard
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With