I have a Lambda function that tries to invalidate the cache of a Cloudfront distribution, but it times out. The same function succesfully connects to SecretsManager.
# python code
session = boto3.session.Session()
# ....
cf_client = session.client(service_name='cloudfront', config=config)
# ......
cf_client.create_invalidation(
DistributionId=distro,
InvalidationBatch={
'Paths': {
'Quantity': 1,
'Items': [f'/api/dict/{dict_name}/article/{art_id}']
},
'CallerReference': str(time.time())
}
)
I'm using this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudfront:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
I'm aware that S3 and SecretsManager require certain endpoints in VPC to be set up, is there something similar for Cloudfront?
is there something similar for Cloudfront?
No there is not. CloudFront does not have VPC interface endpoint. You have to setup NAT to interact with CF from private subnets. Alternatively, you can do it indirectly through lambda functions, which have VPC interface endpoint.