30 April, 2020

Access Denied when calling the CreateInvalidation operation on AWS CLI.

If you are getting access denied when calling the CreateInvalidation operation on AWS CLI, it must be a permission issue for that user. 

 In this post, I am using the Jenkins pipeline to build and pushing the artifacts into S3. I am using CloudFront for Content Delivery Network (CDN) and hosting my web site in Route 53. 

 When I am trying to do the CloudFront Distribution invalidate the cache from CLI, I am getting this below error. I thought to add some screenshot to get more visibility, so added below.

 Error Log:-

 A client error (AccessDenied) occurred when calling the CreateInvalidation operation: User: arn:aws:iam::xxxxxxxxxxx:user/yyyy is not authorized to perform: cloudfront:
The below command I am using from AWS CLI :

aws configure set preview.cloudfront true
aws cloudfront create-invalidation --distribution-id UJH89JKKMOVY340 --paths "/*"    



 Resolution:-

 Add the "CreateInvalidation" permission to that user. Below are the steps to add the permission.
  • Goto Identity and Access Management (IAM) 
  • Goto Users and find your username, here for me its "Jenkins"
  • Then add a new "Add Inline policy", below the screenshot.

  • Now add the below policy into the JSON policy editor. Below the screenshot.

Policy JSON:-


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditoro",
            "Effect": "Allow",
            "Action": "cloudfront:CreateInvalidation",
            "Resource": "arn:aws:cloudfront::17088938460999:distribution/UJH89JKKMOVY340"
        }
    ]
}


Sample Screenshot:-




Now, it's working fine. I can see the Jenkins logs below.

Jenkins Success Log:-

 ; perhaps you meant to use ‘PATH+EXTRA=/something/bin’?
+ aws configure set preview.cloudfront true
[Pipeline] sh
Warning: JENKINS-41339 probably bogus PATH=/var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/node-v10.16.3-linux-x64/bin:/var/lib/jenkins/tools/hudson.model.JDK/JDK8-152/bin:$PATH:/usr/local/bin:$MAVEN_HOME/bin:/usr/local/bin:/var/lib/jenkins/tools/hudson.tasks.Maven_MavenInstallation/mvn/bin:/usr/sbin:/usr/bin:/sbin:/bin; perhaps you meant to use ‘PATH+EXTRA=/something/bin’?
+ aws cloudfront create-invalidation --distribution-id UJH89JKKMOVY340 --paths '/*'
{
    "Invalidation": {
        "Status": "InProgress", 
        "InvalidationBatch": {
            "Paths": {
                "Items": [
                    "/*"
                ], 
                "Quantity": 1
            }, 
            "CallerReference": "cli-1588239578-85708"
        }, 
        "Id": "I3HILN71CKWOV4", 
        "CreateTime": "2020-04-30T09:39:38.919Z"
    }, 
    "Location": "https://cloudfront.amazonaws.com/2019-03-26/distribution/UJH89JKKMOVY340/invalidation/I3HILN71CKWOV4"
}




Posted by at 12 comments:
Labels: , , , ,

27 April, 2020

How to get access key id and secret access key of amazon user.

This key combination (i.e. access key id and secret access key)  of aws will be useful everywhere when you need to access your aws services (Example - S3, EC2, etc). Its very simple to get the credentials for your user.

  • Goto to Identity and Access Management (IAM)
  • Click on Users (Left side of the page under Access Management)
  • Then click on your user name from the user list. You will be seeing the below screen.


  • Click on "Security and credentials" and click on "Create access key" to creating the new access key and download the .csv file as per the below screenshot.


  • Now you can see your access key and secret access key looks like as below.
    • Access key ID - AAKIASPHRAQWAKKLAR87
      Secret access key - sZ+7JJKd++UjfjfuueFJV9pXXVDOv48xiBbm



Posted by at 3 comments:
Labels: , , ,
Subscribe to: Posts (Atom)