Menu
I'm using S3 bucket to store files and CloudFront to distribute them. I have a tool that handles synchronization automatically and it works great.
However, I want to be able to also create CloudFront invalidations programmatically. What statement do I need to add to the tool's policy in order to allow creating invalidation only for this specific distribution?
Right now, I have this statement:
{
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": "*"
}
But, as you can see, it allows to create invalidations for any distribution in account.
I've tried to use these values for Resource property, but for some reason the tool gave me an error, saying that access is denied:
arn:aws:cloudfront::12345678:distribution/ABCDEFGarn:aws:cloudfront:::distribution/ABCDEFGWhat do I need to specify in Resource property in order to allow creation of invalidation only for the specific distribution?
It's ARN is arn:aws:cloudfront::12345678:distribution/ABCDEFG for example.
835
The cloudfront:CreateInvalidation command does not support resource-level permissions. For this reason, only * is supported. Thus, it is not possible to restrict a user/role to only be able to invalidate a specific distribution.
Source: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
73
Now Clodfront supports distribution level permissions with IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudfront:UpdateDistribution",
"cloudfront:DeleteDistribution",
"cloudfront:CreateInvalidation"
],
"Resource": "arn:aws:cloudfront::<account_id>:distribution/<distribution_id>"
}
]
}
More details here: https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/access-control-overview.html
14
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
