12

I'm trying to deploy an ember app to AWS CloudFront using ember-cli-deploy and ember-cli-deploy-cloudfront.

I set up my bucket and user in AWS, gave my user AmazonS3FullAccess policy.

Set up my .env.deploy.production file to look like this:

AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>

My config/default.js looks like this:

/* jshint node: true */

module.exports = function(deployTarget) {
  var ENV = {
    build: {},
    pipeline: {
      activateOnDeploy: true
    },
    s3: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET,
      filePattern: "*"
    },
    cloudfront: {
      accessKeyId: process.env.AWS_KEY,
      secretAccessKey: process.env.AWS_SECRET
    }
  };

  if (deployTarget === 'staging') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.STAGING_BUCKET;
    ENV.s3.region = process.env.STAGING_REGION;
    ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
  }

  if (deployTarget === 'production') {
    ENV.build.environment = 'production';
    ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
    ENV.s3.region = process.env.PRODUCTION_REGION;
    ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
  }

  return ENV;
};

I installed ember-cli-deploy, ember-cli-deploy-cloudfront and ember install ember-cli-deploy-aws-pack.

When I run ember deploy production

I get this error:

AccessDenied: User: arn:aws:iam::299188948670:user/Flybrary is not authorized to perform: cloudfront:CreateInvalidation

It's my understanding that ember-cli-deploy-cloudfront handles creating invalidations for you but when I saw this error I went into the AWS IAM console and created an invalidation myself. I still get the same error when I try to run ember deploy production.

kenorb
  • 155,785
  • 88
  • 678
  • 743
Sophie DeBenedetto
  • 173
  • 1
  • 1
  • 7
  • Just a thought: You get charged for invalidating cloud front objects. Maybe that's a problem with your account? – alsdkjasdlkja Nov 14 '15 at 18:01
  • *"gave my user AmazonS3FullAccess policy."* Did you also give it CloudFront permissions? – Michael - sqlbot Nov 14 '15 at 19:59
  • hi @michael-sqlbot, i did set up my cloudfront distribution and invalidation access but I was never prompted to pay (that I know of, it could just be automatically charging my account?). It is very possible that I did not give my user cloudfront permissions. Nothing in the AWS console seems like a clear way to do that though. Can you point me in the right direction? – Sophie DeBenedetto Nov 15 '15 at 19:11
  • See http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/UsingWithIAM.html. Generally speaking, every permission is denied until it is allowed, and IAM is the centralized manager for permissions. Also, almost all AWS services are billed to your AWS account without further prompting (you can imagine how annoying it might be, otherwise, in large deployments). Many services, like CloudFront, have no charge for provisioning/setup, only for actual usage. The first 1000 invalidations per month are free. – Michael - sqlbot Nov 15 '15 at 20:30
  • Similar: [Access Denied when calling the CreateInvalidation operation on AWS CLI](https://serverfault.com/q/735054/130437) – kenorb Oct 10 '17 at 10:50

1 Answers1

12

IAM Policies do not allow restriction of access to specific CloudFront distributions. The work around is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will work around the issue you're having.

Here is an example of that in a working IAM policy:

{
  "Statement": [  
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations"
      ],
      "Resource": "*"
    }
  ]
}

Docs:

Phil
  • 2,238
  • 2
  • 23
  • 34
Ryan Lavelle
  • 1,312
  • 10
  • 13
  • 1
    I think they added support for it now. The IAM services overview show that CloudFront supports resource based policies. Although I can't make it work. – sihaya Jun 04 '21 at 14:11