AccessDenied:用户无权执行:cloudfront:CreateInvalidation [英] AccessDenied: User is not authorized to perform: cloudfront:CreateInvalidation

问题描述

我正在尝试使用ember-cli-deploy和ember-cli-deploy-cloudfront将ember应用程序部署到AWS CloudFront.

I'm trying to deploy an ember app to AWS CloudFront using ember-cli-deploy and ember-cli-deploy-cloudfront.

我在AWS中设置了存储桶和用户，并为用户提供了AmazonS3FullAccess策略.

I set up my bucket and user in AWS, gave my user AmazonS3FullAccess policy.

设置我的 .env.deploy.production 文件，如下所示:

Set up my .env.deploy.production file to look like this:

AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>

我的 config/default.js 看起来像这样:

/* jshint node: true */

module.exports = function(deployTarget) {
  var ENV = {
    build: {},
    pipeline: {
      activateOnDeploy: true
    },
    s3: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET,
      filePattern: "*"
    },
    cloudfront: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET
    }
  };

  if (deployTarget === 'staging') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.STAGING_BUCKET;
    ENV.s3.region = process.env.STAGING_REGION;
    ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
  }

  if (deployTarget === 'production') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
    ENV.s3.region = process.env.PRODUCTION_REGION;
    ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
  }

  return ENV;
};

我安装了 ember-cli-deploy ， ember-cli-deploy-cloudfront 和 ember安装ember-cli-deploy-aws-pack .

当我运行 ember部署生产

我收到此错误:

AccessDenied:用户:arn:aws:iam :: 299188948670:用户/Flybrary无权执行:cloudfront:CreateInvalidation

据我了解， ember-cli-deploy-cloudfront 为您处理创建无效操作，但是当我看到此错误时，我进入了AWS IAM控制台并自己创建了一个无效操作.当我尝试运行 ember deploy production 时，仍然出现相同的错误.

It's my understanding that ember-cli-deploy-cloudfront handles creating invalidations for you but when I saw this error I went into the AWS IAM console and created an invalidation myself. I still get the same error when I try to run ember deploy production.

推荐答案

IAM策略不允许限制对特定CloudFront发行版的访问.解决方法是对资源使用通配符，而不是仅引用特定的CloudFront资源.将其添加到您的IAM策略中可以解决您遇到的问题.

IAM Policies do not allow restriction of access to specific CloudFront distributions. The work around is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will work around the issue you're having.

以下是有效的IAM策略中的一个示例:

Here is an example of that in a working IAM policy:

{
  "Statement": [  
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations"
      ],
      "Resource": "*"
    }
  ]
}

文档:

• 有效的AWS服务使用IAM
• CloudFront API权限
• 使用基于身份的策略(IAM策略))for CloudFront

这篇关于AccessDenied:用户无权执行:cloudfront:CreateInvalidation的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！