The invalidate_cf method calls ListDistributions to find the distribution matching the deploy domain. This requires broad IAM permissions (cloudfront:ListDistributions on *) since the API doesn't support resource-level scoping.
When the caller already knows the distribution ID (which is the case for all 4 repos using this gem), that call is unnecessary.
Proposed change: read CLOUDFRONT_DISTRIBUTION_ID from env in invalidate_cf. If set, use it directly and skip the ListDistributions lookup. Remove the fallback once all repos set the env var.
This lets IAM roles be scoped to specific distributions only.
The
invalidate_cfmethod callsListDistributionsto find the distribution matching the deploy domain. This requires broad IAM permissions (cloudfront:ListDistributionson*) since the API doesn't support resource-level scoping.When the caller already knows the distribution ID (which is the case for all 4 repos using this gem), that call is unnecessary.
Proposed change: read
CLOUDFRONT_DISTRIBUTION_IDfrom env ininvalidate_cf. If set, use it directly and skip theListDistributionslookup. Remove the fallback once all repos set the env var.This lets IAM roles be scoped to specific distributions only.