使用AWS CLI创建CloudFront失效时访问被拒绝 [英] Access Denied when creating CloudFront invalidation with AWS CLI

问题描述

我正在使用AWS CLI在脚本中创建CloudFront发行版：

I'm using the AWS CLI to create a CloudFront distribution in a script:

aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'

我有一条符合以下条件的政策：

I have a policy set up with this statement:

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "arn:aws:cloudfront::xxx:distribution/ABCD1234"
    ]
}

该策略已附加到运行命令的用户。但是，我仍然收到此错误：

The policy is attached to the user that is running the command. However, I still get this error:

调用CreateInvalidation操作时发生客户端错误（AccessDenied）：用户：arn：aws：iam :: xxx：user / yyy无权执行：cloudfront：CreateInvalidation

A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation

推荐答案

The问题是CloudFront无法使用指定资源的策略。

The problem is that CloudFront can't work with a policy that specifies a resource. "Widening" the policy fixes the error.

此支持线程指出：

CloudFront不支持IAM的资源级别权限。

CloudFront does not support Resource-Level permissions for IAM.

它也被埋在 CloudFront的文档：

Operation:             POST Invalidation (CreateInvalidation)
Required Permissions:  cloudfront:CreateInvalidation
Resources:             *

这意味着该策略必须为：

That means the policy needs to be:

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "*"  <-- must be a wildcard
    ]
}

这篇关于使用AWS CLI创建CloudFront失效时访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！