I'm using S3 bucket to store files and CloudFront to distribute them. I have a tool that handles synchronization automatically and it works great.
However, I want to be able to also create CloudFront invalidations programmatically. What statement do I need to add to the tool's policy in order to allow creating invalidation only for this specific distribution?
Right now, I have this statement:
{
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": "*"
}
But, as you can see, it allows to create invalidations for any distribution in account.
I've tried to use these values for Resource
property, but for some reason the tool gave me an error, saying that access is denied:
arn:aws:cloudfront::12345678:distribution/ABCDEFG
arn:aws:cloudfront:::distribution/ABCDEFG
What do I need to specify in Resource
property in order to allow creation of invalidation only for the specific distribution?
It's ARN is arn:aws:cloudfront::12345678:distribution/ABCDEFG
for example.
The cloudfront:CreateInvalidation
command does not support resource-level permissions. For this reason, only *
is supported. Thus, it is not possible to restrict a user/role to only be able to invalidate a specific distribution.
Source: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
Now Clodfront supports distribution level permissions with IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudfront:UpdateDistribution",
"cloudfront:DeleteDistribution",
"cloudfront:CreateInvalidation"
],
"Resource": "arn:aws:cloudfront::<account_id>:distribution/<distribution_id>"
}
]
}
More details here: https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/access-control-overview.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With