0

I'm trying to allow a group i defined to have invalidation privliges

I defined a policy on the group that looks like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1511787279000",
            "Effect": "Allow",
            "Action": [
                "cloudfront:CreateInvalidation",
                "cloudfront:ListInvalidations"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

ultimately i'd like to lock the resource down to specific Cloudfront arns. but even at this point it doesn't work. when i use the aws cli tool i get

An error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:iam::5555555555:user/username is not authorized to perform: cloudfront:CreateInvalidation

What am i doing wrong?

w--
  • 6,427
  • 12
  • 54
  • 92
  • Did you associate the policy to the IAM user (access key) configured for your AWS CLI? – jweyrich Nov 27 '17 at 13:15
  • if the user is part of the group and the policy is set on the group does that mean it is associated with the user? or is there an extra step required? – w-- Nov 27 '17 at 17:10
  • Correct. Policies associated with a given group affect all users belonging to that group. Apart from that, you only need to configure the CLI (`aws configure`) to use a valid access key from a user belonging to that group. – jweyrich Nov 27 '17 at 17:18
  • thanks. this is why i'm confused. The policy looks to be setup correctly but it still complains about being unauthorized. I know I have done aws configure properly as another policy on the group is set for s3 and those are working as expected. any ideas? – w-- Nov 28 '17 at 01:55
  • 1
    well apparently application of policies is not instantaneous. i tried again after sometime and they jsut worked. – w-- Nov 29 '17 at 16:11
  • Oh, right. Good catch! You can answer your own question if you wish :-) Anyway, looks like someone also noticed this delay - see https://stackoverflow.com/questions/20156043/how-long-should-i-wait-after-applying-an-aws-iam-policy-before-it-is-valid – jweyrich Nov 29 '17 at 17:14

0 Answers0