使用AWS CLI创建CloudFront失效时访问被拒绝 [英] Access Denied when creating CloudFront invalidation with AWS CLI
问题描述
我正在使用AWS CLI在脚本中创建CloudFront发行版:
I'm using the AWS CLI to create a CloudFront distribution in a script:
aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'
我有一条符合以下条件的政策:
I have a policy set up with this statement:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::xxx:distribution/ABCD1234"
]
}
该策略已附加到运行命令的用户。但是,我仍然收到此错误:
The policy is attached to the user that is running the command. However, I still get this error:
调用CreateInvalidation操作时发生客户端错误(AccessDenied):用户:arn:aws:iam :: xxx:user / yyy无权执行:cloudfront:CreateInvalidation
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
推荐答案
The问题是CloudFront无法使用指定资源的策略。
The problem is that CloudFront can't work with a policy that specifies a resource. "Widening" the policy fixes the error.
此支持线程指出:
CloudFront不支持IAM的资源级别权限。
CloudFront does not support Resource-Level permissions for IAM.
它也被埋在 CloudFront的文档:
Operation: POST Invalidation (CreateInvalidation)
Required Permissions: cloudfront:CreateInvalidation
Resources: *
这意味着该策略必须为:
That means the policy needs to be:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"*" <-- must be a wildcard
]
}
这篇关于使用AWS CLI创建CloudFront失效时访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!