使用 AWS CLI 创建 CloudFront 失效时拒绝访问
Access Denied when creating CloudFront invalidation with AWS CLI
我正在使用 AWS CLI 在脚本中创建 CloudFront 分配:
aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'
我用这个声明设置了一个策略:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::xxx:distribution/ABCD1234"
]
}
策略附加到执行运行 命令的用户。但是,我仍然收到此错误:
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
问题是 CloudFront 无法使用指定资源的策略。 "Widening" 政策修复了错误。
CloudFront does not support Resource-Level permissions for IAM.
它也被埋在documentation for CloudFront:
Operation: POST Invalidation (CreateInvalidation)
Required Permissions: cloudfront:CreateInvalidation
Resources: *
这意味着政策需要:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"*" <-- must be a wildcard
]
}
我正在使用 AWS CLI 在脚本中创建 CloudFront 分配:
aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'
我用这个声明设置了一个策略:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::xxx:distribution/ABCD1234"
]
}
策略附加到执行运行 命令的用户。但是,我仍然收到此错误:
A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxx:user/yyy is not authorized to perform: cloudfront:CreateInvalidation
问题是 CloudFront 无法使用指定资源的策略。 "Widening" 政策修复了错误。
CloudFront does not support Resource-Level permissions for IAM.
它也被埋在documentation for CloudFront:
Operation: POST Invalidation (CreateInvalidation)
Required Permissions: cloudfront:CreateInvalidation
Resources: *
这意味着政策需要:
{
"Sid": "xxx",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation"
],
"Resource": [
"*" <-- must be a wildcard
]
}