我正在尝试使用ember-cli-deploy和ember-cli-deploy-cloudfront将ember应用程序部署到AWS CloudFront。
我在AWS中设置了我的存储桶和用户,为我的用户提供了AmazonS3FullAccess策略。
将我的.env.deploy.production文件设置为如下所示:
AWS_KEY=<my key>
AWS_SECRET=<my secret>
PRODUCTION_BUCKET=<app.<my domain>.com
PRODUCTION_REGION=us-east-1
PRODUCTION_DISTRIBUTION=<my cloudfront distribution id>
我的config/default.js看起来像这样:
/* jshint node: true */
module.exports = function(deployTarget) {
var ENV = {
build: {},
pipeline: {
activateOnDeploy: true
},
s3: {
accessKeyId: process.env.AWS_KEY,
secretAccessKey: process.env.AWS_SECRET,
filePattern: "*"
},
cloudfront: {
accessKeyId: process.env.AWS_KEY,
secretAccessKey: process.env.AWS_SECRET
}
};
if (deployTarget === 'staging') {
ENV.build.environment = 'production';
ENV.s3.bucket = process.env.STAGING_BUCKET;
ENV.s3.region = process.env.STAGING_REGION;
ENV.cloudfront.distribution = process.env.STAGING_DISTRIBUTION;
}
if (deployTarget === 'production') {
ENV.build.environment = 'production';
ENV.s3.bucket = process.env.PRODUCTION_BUCKET;
ENV.s3.region = process.env.PRODUCTION_REGION;
ENV.cloudfront.distribution = process.env.PRODUCTION_DISTRIBUTION;
}
return ENV;
};
我安装了ember-cli-deploy,ember-cli-deploy-cloudfront和ember install ember-cli-deploy-aws-pack。
当我运行ember deploy production
我收到此错误:
AccessDenied: User: arn:aws:iam::299188948670:user/Flybrary is not authorized to perform: cloudfront:CreateInvalidation
我的理解是ember-cli-deploy-cloudfront处理为你创建失效但是当我看到这个错误时,我进入了AWS IAM控制台并自己创建了一个失效。我尝试运行ember deploy production时仍然遇到同样的错误。
答案 0 :(得分:5)
IAM策略不允许限制对特定CloudFront分配的访问。解决方法是使用通配符作为资源,而不是仅引用特定的CloudFront资源。将其添加到您的IAM策略将解决您遇到的问题。
以下是工作IAM政策中的一个示例:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": "*"
}
]
}
文档: