forbidden from sending request to cloudfront endpoint

Question

I am trying to send an invalidation batch to my cloudfront dist. Here is how I'm doing it:

import requests
import datetime
from tinys3.auth import S3Auth

date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
host = 'cloudfront.amazonaws.com'
path = '/2014-10-21/distribution/%s/invalidation' % DIST_ID

auth = S3Auth(s3key, s3secret)
# I'm assuming the authorization for s3 takes the same form as the auth for cloudfront.

file_path = 'path/to/file'

data = ['<?xml version="1.0" encoding="UTF-8"?>']
data.append('<InvalidationBatch xmlns="http://cloudfront.amazonaws.com/doc/2014-10-21/">')
data.append('<Paths><Quantity>1</Quantity><Items><Path>/%s</Path></Items></Paths>' % file_path)
data.append('<CallerReference>%s</CallerReference>' % date)
data.append('</InvalidationBatch>')
data = ''.join(data)

try:
    url = 'https://%s%s' % (host, path)
    r = requests.post(url, data=data, headers=headers, auth=auth)
    r.raise_for_status()
    print 'Success?'
except:
    raise

As you can see I'm using the authorization protocol from tinys3.py and the cloudfront api. You can find their docs here and here:

https://github.com/smore-inc/tinys3

http://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/CreateInvalidation.html

When I make the POST request, I get a 403. But I am positive my distribution id is valid (I can use it through the cloudfront GUI). What am I doing wrong?

Answer 1

I have been using boto for CloudFront invalidations. Python code with boto would look something like this:

import boto

cfcon = boto.connect_cloudfront('your-aws-access-key-id', 'your-aws-secret-access-key')
files = [<your files>]
cfcon.create_invalidation_request(DIST_ID, files)