问题描述

我正在使用AWS CLI在脚本中创建CloudFront发行版：

I'm using the AWS CLI to create a CloudFront distribution in a script:

aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id ABCD1234 --paths '/*'

我有一条符合以下条件的政策：

I have a policy set up with this statement:

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "arn:aws:cloudfront::xxx:distribution/ABCD1234"
    ]
}

该策略已附加到运行命令的用户。但是，我仍然收到此错误：

The policy is attached to the user that is running the command. However, I still get this error:

推荐答案

The问题是CloudFront无法使用指定资源的策略。

The problem is that CloudFront can't work with a policy that specifies a resource. "Widening" the policy fixes the error.

指出：

它也被埋在：

Operation:             POST Invalidation (CreateInvalidation)
Required Permissions:  cloudfront:CreateInvalidation
Resources:             *

这意味着该策略必须为：

That means the policy needs to be:

{
    "Sid": "xxx",
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateInvalidation"
    ],
    "Resource": [
        "*"  <-- must be a wildcard
    ]
}

这篇关于使用AWS CLI创建CloudFront失效时访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！