Login/Register
AccessDenied: User is not authorized to perform: cloudfront:CreateInvalidation
Asked Answered
amazon-web-servicesamazon-s3deploymentamazon-cloudfrontamazon-policy
S

1

12

I'm trying to deploy an ember app to AWS CloudFront using ember-cli-deploy and ember-cli-deploy-cloudfront.

I set up my bucket and user in AWS, gave my user AmazonS3FullAccess policy.

Set up my .env.deploy.production file to look like this:

AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>

My config/default.js looks like this:

/* jshint node: true */

module.exports = function(deployTarget) {
  var ENV = {
    build: {},
    pipeline: {
      activateOnDeploy: true
    },
    s3: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET,
      filePattern: "*"
    },
    cloudfront: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET
    }
  };

  if (deployTarget === 'staging') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.STAGING_BUCKET;
    ENV.s3.region = process.env.STAGING_REGION;
    ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
  }

  if (deployTarget === 'production') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
    ENV.s3.region = process.env.PRODUCTION_REGION;
    ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
  }

  return ENV;
};

I installed ember-cli-deploy, ember-cli-deploy-cloudfront and ember install ember-cli-deploy-aws-pack.

When I run ember deploy production

I get this error:

AccessDenied: User: arn:aws:iam::299188948670:user/Flybrary is not authorized to perform: cloudfront:CreateInvalidation

It's my understanding that ember-cli-deploy-cloudfront handles creating invalidations for you but when I saw this error I went into the AWS IAM console and created an invalidation myself. I still get the same error when I try to run ember deploy production.

Serai answered 14/11, 2015 at 16:27 Comment(5)
Just a thought: You get charged for invalidating cloud front objects. Maybe that's a problem with your account?Rubadub
"gave my user AmazonS3FullAccess policy." Did you also give it CloudFront permissions?Randazzo
hi @michael-sqlbot, i did set up my cloudfront distribution and invalidation access but I was never prompted to pay (that I know of, it could just be automatically charging my account?). It is very possible that I did not give my user cloudfront permissions. Nothing in the AWS console seems like a clear way to do that though. Can you point me in the right direction?Serai
See docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/…. Generally speaking, every permission is denied until it is allowed, and IAM is the centralized manager for permissions. Also, almost all AWS services are billed to your AWS account without further prompting (you can imagine how annoying it might be, otherwise, in large deployments). Many services, like CloudFront, have no charge for provisioning/setup, only for actual usage. The first 1000 invalidations per month are free.Randazzo
Similar: Access Denied when calling the CreateInvalidation operation on AWS CLIGrube
S
13

IAM Policies do not allow restriction of access to specific CloudFront distributions. The work around is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will work around the issue you're having.

Here is an example of that in a working IAM policy:

{
  "Statement": [  
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations"
      ],
      "Resource": "*"
    }
  ]
}

Docs:

Sicken answered 2/8, 2016 at 20:51 Comment(2)
I think they added support for it now. The IAM services overview show that CloudFront supports resource based policies. Although I can't make it work.Ideality
the resource-based policy only works most of the time for meKiddy

© 2022 - 2024 — McMap. All rights reserved.