CloudFront: why an Admin is not authorized to perform invalidation action?

Question

I'm trying to create an invalidation using both the aws cli and the PHP SDK, using an administrator IAM (full rights).

Here's the command line

aws cloudfront create-invalidation --distribution-id=E2NYX13BG????? --paths "/*"

But I always get this error message:

Error: User: arn:aws:iam::5253618?????:user/algo is not authorized to perform: 
cloudfront:CreateInvalidation on resource: 
arn:aws:cloudfront::5253618?????:distribution/E2NYX13BG?????

EDIT ---

To clarify my doubt about this. There are two other questions one and two, as pasted in comments by @amitd. Both questions are referencing possible non-admin rights, and also possible restricted CloudFront resources.

BY "administrator" I mean that the the IAM account has these rights to the my whole AWS services:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

As can be seen above, resources are not being restricted, so must I still create a different Statement item to add "Resource": "*", to CloudFront? Because it would make not sense at all.

similar to these two posts: [one](https://stackoverflow.com/questions/33710607/accessdenied-user-is-not-authorized-to-perform-cloudfrontcreateinvalidation) and [two](https://serverfault.com/questions/735054/access-denied-when-calling-the-createinvalidation-operation-on-aws-cli) — amitd, Dec 22 '20 at 14:31
@amitd, I actually searched this and found both questions before posting my own, but I just edited it to clarify — Antonio Carlos Ribeiro, Dec 22 '20 at 15:18

CloudFront: why an Admin is not authorized to perform invalidation action?

0 Answers0