s3cmd - Cloudfront Invalidation IAM Policy

by Matthew Jones

November 6, 2013

If you ever come across the following error when trying to invalidate CloudFront's cache, for your S3 website using s3cmd (and you are using IAM policies):

ERROR: S3 error: 403 (AccessDenied): Access Denied

You need to allow the following action in your IAM policy for the user or group:

"s3:GetBucketWebsite"

So your IAM policy may look something like:

{
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets",
            "s3:GetBucketWebsite"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::example-bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::example-bucket/*"
      }
   ]
}

Matthew Jones is an operations engineer, living in Melbourne. He is one half of Infracoders.

Follow him on Twitter or find out more about him.

Geekle

s3cmd - Cloudfront Invalidation IAM Policy