6

I am attempting to create a command that will invalidate CloudFront distribution when pushing out new code. This is an attempt to fix the issue that new HTML pushed out doesn't take up to 24 hours to appear on my web app. The idea comes from this AWS CLI COMMAND REFERENCE

Here is the command:

aws cloudfront create-invalidation --distribution-id XXXXXXXXXXXXXX --invalidation-batch file://invbatch.json

Here is the response I get when I run the command:

A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::XXXXXXXXXXXXXX:user/cats-kittens-beanstalk-user is not authorized to perform: cloudfront:CreateInvalidation

Any idea why this might be? I know AWS throws this access denied even though the user is authorized to run commands in some instances - see here.

Improve this question
1

2 Answers 2

Reset to default
3

IAM Policies do not allow restriction of access to specific CloudFront distributions. The solution is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will fix the issue you're having.

Here is an example of that in a working IAM policy:

{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "cloudfront:CreateInvalidation", "cloudfront:GetInvalidation", "cloudfront:ListInvalidations" ], "Resource": "*" } ] }

Docs:

Improve this answer
0

The error message you're encountering, "User is not authorized to perform: cloudfront:CreateInvalidation", indicates that the IAM user or role you're using doesn't have the necessary permissions to create invalidations for the CloudFront distribution.

To resolve this issue, you'll need to update the IAM policy attached to the IAM user or role to include permissions for the cloudfront:CreateInvalidation action. Here's how you can do it:

Identify the IAM Policy: Find the IAM policy attached to the IAM user or role (cats-kittens-beanstalk-user in your case). This policy should be granting permissions related to CloudFront actions.

Edit the IAM Policy: Add permissions for the cloudfront:CreateInvalidation action to the IAM policy. You can add it to an existing policy or create a new policy specifically for CloudFront invalidations.

Here's a sample IAM policy snippet granting the necessary permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "cloudfront:CreateInvalidation", "Resource": "arn:aws:cloudfront::XXXXXXXXXXXXXX:distribution/XXXXXXXXXXXXXX" } ] }

Make sure to replace XXXXXXXXXXXXXX with your actual AWS account ID and CloudFront distribution ID.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.