Reputation: 135
Create CloudFront Invalidations in Cross AWS account
I have two AWS accounts (E.g. Account A & Account B). I have created a user with and attached a policy (Costumer Managed) Which has the following permission in account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:CreateInvalidation",
"Resource": "arn:aws:cloudfront::{ACCOUNT-B_ACCOUNT-ID-WITHOUT-HYPHENS}:distribution/{ACCOUNT_B-CF-DISTRIBUTION-ID}"
}
]
}
From AWS-CLI (Which is configured with Account A's user) I'm trying to create invalidation for the above mentioned CF distribution ID in Account B. I'm getting access denied.
Do we need any other permission to create invalidation for CF distribution in different AWS account?
Upvotes: 3
Views: 3278
Answers (2)
Reputation: 1111
I have been able to successfully perform a cross-account CloudFront invalidation from my CodePipeline account (TOOLS) to my application (APP) accounts. I achieve this with a Lambda Action that is executed as follows:
- CodePipeline starts a Deploy stage I call
Invalidate - The Stage runs a Lambda function with the following UserParameters:
- APP account roleArn to assume when creating the Invalidation.
- The ID of the CloudFront distribution in the APP account.
- The paths to be invalidated.
- The Lambda function is configured to run with a role in the TOOLS account that can
sts:AssumeRoleof a role from the APP account. - The APP account role permits being assumed by the TOOLS account and permits the creation of Invalidations (
"cloudfront:GetDistribution","cloudfront:CreateInvalidation"). - The Lambda function executes and assumes the APP account role. Using the credentials provided by the APP account role, the invalidation is started.
- When the invalidation has started, the Lambda function puts a successful Job result.
It's difficult and unfortunate that cross-account invalidations are not directly supported. But it does work!
Upvotes: 5
Reputation: 135
Cross account access only available for few AWS Services like Amazon Simple Storage Service (S3) buckets, S3 Glacier vaults, Amazon Simple Notification Service (SNS) topics, and Amazon Simple Queue Service (SQS) queues.
Refer: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html (Role for cross-account access section)
Upvotes: 0
Related Questions
- CloudFront policy to invalidate only specific distribution
- How to Create auto CloudFront invalidations in AzureDevops?
- Access Denied when creating CloudFront invalidation with AWS CLI
- AWS Cloudfront createInvalidation
- AWS CloudFront not invalidated even after successful execution of `create-invalidation` command
- Cloudfront Invalidation for custom origin root
- AWS cloudfront invalidation with OriginPath
- Amazon CloudFront invalidation API
- Correct invalidation path for CloudFront object
- How to set up "Cloudfront Access Origin Identity?"