dimanche 15 mars 2015

Authorise User to perform Cloudfront Action


Vote count:

0




I am trying to generate a signed_url for an image (restaurant_1_banner.png) I have stored on Amazon S3 using Boto.



    import boto, time
    from boto import cloudfront
    from boto.cloudfront import distribution

    AWS_ACCESS_KEY_ID = my_access_key
    AWS_SECRET_ACCESS_KEY = my_secret_access_key
    KEYPAIR_ID = my_keypair_id
    KEYPAIR_FILE = my_key_pair_file
    CF_DISTRIBUTION_ID = my_distribution_id
    my_connection = cloudfront.CloudFrontConnection(
        AWS_ACCESS_KEY_ID,
        AWS_SECRET_ACCESS_KEY,
    )

    # Get or create origin access identity
    identities = my_connection.get_all_origin_access_identity()
    if len(identities) < 1:
         oai = my_connection.create_origin_access_identity(
            'access-identity-',
            'OAI for getting images'
        )
    else:
        oai = my_connection.get_all_origin_access_identity()[0]

    distro_summary = my_connection.get_all_distributions()[0]
    distro_info = my_connection.get_distribution_info(distro_summary.id)


    bucket = boto.connect_s3(
                AWS_ACCESS_KEY_ID,
                AWS_SECRET_ACCESS_KEY,
                host='s3-ap-southeast-2.amazonaws.com'
                ).get_bucket('menumaster')

    key = bucket.get_key('restaurant_1_banner.png')        
    key.add_user_grant("READ", oai.s3_user_id) 

    distro = distro_summary.get_distribution()    

    SECS = 8000        
    signed_url = distro.create_signed_url(
                    "https://%s/%s" % (distro_info.domain_name, 'restaurant_1_banner.png'),
                    KEYPAIR_ID,
                    expire_time=time.time() + SECS,
                    valid_after_time=None,
                    ip_address=None,
                    policy_url=None,
                    private_key_file=KEYPAIR_FILE
                    #private_key_string=KEYPAIR_ID
                    )


    return signed_url


I created a user, Giri, through the AWS Dashboard. I have not attached any policies to this account. The ACCESS_KEY and SECRET_ACCESS_KEY I used above, were the ones generated for this account.


When I run the code, I receive the following error:



<ErrorResponse xmlns="http://ift.tt/1jk9oaE">
    <Error>
        <Type>Sender</Type>
        <Code>AccessDenied</Code>
        <Message>
          User: arn:aws:iam::629495457101:user/Giri is not authorized to perform: cloudfront:ListCloudFrontOriginAccessIdentities</Message>
    </Error>
    <RequestId>045b9438-cb9a-11e4-9b0c-33b153a2a530</RequestId>
</ErrorResponse>


This is the policy for my `bucket:



{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity --my OAI--"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::menumaster/*"
    }
]
}


asked 21 secs ago

Giri

640






Authorise User to perform Cloudfront Action
Publié par à
Libellés : , ,

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)