问题
I'm using the AWS CLI to create a CloudFront distribution in a script:
aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'
I have a policy set up with this statement:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::xxx:distribution/ABCD1234"
]
}
The policy is attached to the user that is running the command. However, I still get this error:
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
回答1:
The problem is that CloudFront can't work with a policy that specifies a resource. "Widening" the policy fixes the error.
This support thread states:
CloudFront does not support Resource-Level permissions for IAM.
It's also buried in the documentation for CloudFront:
Operation: POST Invalidation (CreateInvalidation)
Required Permissions: cloudfront:CreateInvalidation
Resources: *
That means the policy needs to be:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"*" <-- must be a wildcard
]
}
来源:https://stackoverflow.com/questions/44830990/access-denied-when-creating-cloudfront-invalidation-with-aws-cli