s3cmd - Cloudfront Invalidation IAM Policy
If you ever come across the following error when trying to invalidate CloudFront's cache, for your S3 website using s3cmd (and you are using IAM policies):
ERROR: S3 error: 403 (AccessDenied): Access Denied
You need to allow the following action in your IAM policy for the user or group:
"s3:GetBucketWebsite"
So your IAM policy may look something like:
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets",
"s3:GetBucketWebsite"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::example-bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::example-bucket/*"
}
]
}
Matthew Jones is an operations engineer, living in Melbourne. He is one half of Infracoders.
Follow him on Twitter or find out more about him.