AccessDenied:用户无权执行:cloudfront:CreateInvalidation [英] AccessDenied: User is not authorized to perform: cloudfront:CreateInvalidation
问题描述
我正在尝试使用ember-cli-deploy和ember-cli-deploy-cloudfront将ember应用程序部署到AWS CloudFront.
I'm trying to deploy an ember app to AWS CloudFront using ember-cli-deploy and ember-cli-deploy-cloudfront.
我在AWS中设置了存储桶和用户,并为用户提供了AmazonS3FullAccess策略.
I set up my bucket and user in AWS, gave my user AmazonS3FullAccess policy.
设置我的 .env.deploy.production
文件,如下所示:
Set up my .env.deploy.production
file to look like this:
AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>
我的 config/default.js
看起来像这样:
/* jshint node: true */
module.exports = function(deployTarget) {
var ENV = {
build: {},
pipeline: {
activateOnDeploy: true
},
s3: {
accessKeyId: process.env.AWS_KEY,
secretAccessKey: process.env.AWS_SECRET,
filePattern: "*"
},
cloudfront: {
accessKeyId: process.env.AWS_KEY,
secretAccessKey: process.env.AWS_SECRET
}
};
if (deployTarget === 'staging') {
ENV.build.environment = 'production';
ENV.s3.bucket = process.env.STAGING_BUCKET;
ENV.s3.region = process.env.STAGING_REGION;
ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
}
if (deployTarget === 'production') {
ENV.build.environment = 'production';
ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
ENV.s3.region = process.env.PRODUCTION_REGION;
ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
}
return ENV;
};
我安装了 ember-cli-deploy
, ember-cli-deploy-cloudfront
和 ember安装ember-cli-deploy-aws-pack
.
当我运行 ember部署生产
我收到此错误:
AccessDenied:用户:arn:aws:iam :: 299188948670:用户/Flybrary无权执行:cloudfront:CreateInvalidation
据我了解, ember-cli-deploy-cloudfront
为您处理创建无效操作,但是当我看到此错误时,我进入了AWS IAM控制台并自己创建了一个无效操作.当我尝试运行 ember deploy production
时,仍然出现相同的错误.
It's my understanding that ember-cli-deploy-cloudfront
handles creating invalidations for you but when I saw this error I went into the AWS IAM console and created an invalidation myself. I still get the same error when I try to run ember deploy production
.
推荐答案
IAM策略不允许限制对特定CloudFront发行版的访问.解决方法是对资源使用通配符,而不是仅引用特定的CloudFront资源.将其添加到您的IAM策略中可以解决您遇到的问题.
IAM Policies do not allow restriction of access to specific CloudFront distributions. The work around is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will work around the issue you're having.
以下是有效的IAM策略中的一个示例:
Here is an example of that in a working IAM policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": "*"
}
]
}
文档:
这篇关于AccessDenied:用户无权执行:cloudfront:CreateInvalidation的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!