使用 AWS CLI 创建 CloudFront 失效时拒绝访问

Question

我正在使用 AWS CLI 在脚本中创建 CloudFront 分配：

aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'

我用这个声明设置了一个策略：

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "arn:aws:cloudfront::xxx:distribution/ABCD1234"
    ]
}

策略附加到执行运行命令的用户。但是，我仍然收到此错误：

A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation

Answer 1

问题是 CloudFront 无法使用指定资源的策略。 "Widening" 政策修复了错误。

This support thread 状态：

CloudFront does not support Resource-Level permissions for IAM.

它也被埋在documentation for CloudFront:

Operation:             POST Invalidation (CreateInvalidation)
Required Permissions:  cloudfront:CreateInvalidation
Resources:             *

这意味着政策需要：

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "*"  <-- must be a wildcard
    ]
}

使用 AWS CLI 创建 CloudFront 失效时拒绝访问

Access Denied when creating CloudFront invalidation with AWS CLI

amazon-web-services

amazon-cloudfront

amazon-iam

aws-cli