AccessDenied: User is not authorized to perform: cloudfront:CreateInvalidation

问题

I'm trying to deploy an ember app to AWS CloudFront using ember-cli-deploy and ember-cli-deploy-cloudfront.

I set up my bucket and user in AWS, gave my user AmazonS3FullAccess policy.

Set up my .env.deploy.production file to look like this:

AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>

My config/default.js looks like this:

/* jshint node: true */

module.exports = function(deployTarget) {
  var ENV = {
    build: {},
    pipeline: {
      activateOnDeploy: true
    },
    s3: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET,
      filePattern: "*"
    },
    cloudfront: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET
    }
  };

  if (deployTarget === 'staging') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.STAGING_BUCKET;
    ENV.s3.region = process.env.STAGING_REGION;
    ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
  }

  if (deployTarget === 'production') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
    ENV.s3.region = process.env.PRODUCTION_REGION;
    ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
  }

  return ENV;
};

I installed ember-cli-deploy, ember-cli-deploy-cloudfront and ember install ember-cli-deploy-aws-pack.

When I run ember deploy production

I get this error:

AccessDenied: User: arn:aws:iam::299188948670:user/Flybrary is not authorized to perform: cloudfront:CreateInvalidation

It's my understanding that ember-cli-deploy-cloudfront handles creating invalidations for you but when I saw this error I went into the AWS IAM console and created an invalidation myself. I still get the same error when I try to run ember deploy production.

回答1:

IAM Policies do not allow restriction of access to specific CloudFront distributions. The work around is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will work around the issue you're having.

Here is an example of that in a working IAM policy:

{
  "Statement": [  
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations"
      ],
      "Resource": "*"
    }
  ]
}

Docs:

AWS Services That Work with IAM
CloudFront API Permissions
Using Identity-Based Policies (IAM Policies) for CloudFront

来源：https://stackoverflow.com/questions/33710607/accessdenied-user-is-not-authorized-to-perform-cloudfrontcreateinvalidation

标签

amazon-web-services

amazon-s3

deployment

amazon-cloudfront

amazon-policy