CloudFront invalidation as an IAM user

556 views
Skip to first unread message

Peter Bleszynski

unread,
Sep 29, 2011, 5:29:53 PM9/29/11
to Cyberduck
Hi,

I am having difficulty allowing an IAM user to invalidate Cloudfront
objects in an S3 bucket. Does Cyberduck treat IAM users differently
than regular AWS users with respect to CloudFront cache invalidations?

The IAM user is able to connect to mybucketname.s3.amazonaws.com,
upload files, and download files in Cyberduck.

For the sake of testing, the IAM user policy allows all actions in all
resources, which includes all actions in CloudFront.
{"Statement":[{"Effect":"Allow","Action": "*","Resource": "*"}]}

The S3 bucket has already been configured a CloudFront origin in the
AWS Management Console and the CloudFront distribution has been
deployed.

When the IAM user selects an object and clicks "Get Info" >
"Distribution (CDN)", a second login prompt appears. Regardless of
whether the user clicks "Cancel" or logs in again, the only Delivery
Method available in the drop down menu is "Custom Origin Server (HTTP/
HTTPS) CDN". The "Invalidate" button is not greyed out. Clicking the
button does not return any feedback.

On the other hand, when the bucket owner logs into the same bucket
with their regular AWS user account, the second login prompt is not
presented and all 4 Delivery Methods are available. Unlike the IAM
user, the AWS user is able to select the method "Download (HTTP) CDN"
and invalidate the selected object(s).

Why is the IAM user not able to perform the same actions as the
regualar AWS user in "Get Info" > "Distribution (CDN)"?

Thanks,

Peter

David Kocher

unread,
Sep 30, 2011, 4:24:18 AM9/30/11
to cybe...@googlegroups.com
Hello Peter,

Thanks for the detailed description of the issue. This is a bug not cause by the fact you are connecting with IAM credentials but are using the DNS hostname to specify what bucket to connect to with `mybucketname.s3.amazonaws.com`.

A workaround would be to let the IAM user list the buckets in the account and connect to the regular S3 hostname.

The next snapshot build available in a few minutes fixes this issue.

-
David

> --
> You received this message because you are subscribed to the Google Groups "Cyberduck" group. To post to this group, send email to cybe...@googlegroups.com
> To unsubscribe from this group, send email to cyberduck+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/cyberduck
> --
> Post bug reports and feature requests
> http://trac.cyberduck.ch/newticket
> --
> Support development
> http://cyberduck.ch/donate/
>

Peter Bleszynski

unread,
Sep 30, 2011, 1:31:48 PM9/30/11
to Cyberduck
Thank you!

It works in build 9050 with custom bucket hostnames and without
requiring the "s3:ListAllMyBuckets" permission. To be honest, I was
testing Windows build 9045 when I submitted the report.

Peter
> > For more options, visit this group athttp://groups.google.com/group/cyberduck
> > --
> > Post bug reports and feature requests
> >http://trac.cyberduck.ch/newticket
> > --
> > Support development
> >http://cyberduck.ch/donate/
>
>
>
>  smime.p7s
> 5KViewDownload
Reply all
Reply to author
Forward
0 new messages