The easiest way to create an invalidation in the Amazon AWS CloudFront API

First method: (manually) by AWS web interface (easy)

Normally, to create an invalidation (clear cache) for a cloudfront distribution, you would:

Next I will show you how to do the same thing automatically from code / command line interface

You might need this for example if something updated on your site and you need to clear CloudFront cache (create invalidation) for a given url on your site without manually logging to AWS web interface.

I found that easiest way to do this is by running awscli, the official program that is provided by Amazon AWS and it comes with most Linux distributions

Don't worry, installing awscli is extremly easy and configuration is as simple as providing access key and secret key

Install aws cli

Run this in your server's SSH console:

yum install awscli.noarch

If it says it cannot find awscli (full name awscli.noarch) then you need to install epel (Extra Packages for Enterprise Linux)

yum install epel-release.noarch

Now try to install aws cli again:

yum install awscli.noarch

Once installed you can test that program exists, with command: aws --version

The single configuration step for aws / awscli is to provide cretentials, run this command:

aws configure

It will ask for AWS Access Key ID and AWS Secret Access Key. You can click enter for all the other prompts, like default region, etc.

At the bottom of this page, I included some details on how to get AWS Access Key ID and AWS Secret Access Key.

Now you are ready to create an invalidation from command line. Here is a sample command:

aws cloudfront create-invalidation --distribution-id EZD3J5ZZZJ1TU --paths "/landscape.jpg"

It will reply with a confirmation, but if you need to double check, you should see this invalidation as "In progress", then switching to "Completed" inside the AWS web interface for this CloudFront distribution.

Running AWS cloudfront invalidation command from PHP code

If you need to run this command from PHP, you can do this with PHP exec() function.

First, you need to specify the credentials by "export" before calling the aws program, because in PHP environment, it will not be able to automatically detect the configuration of aws cli.

Secondly, it's a good practice to use full path of bash commands (otherwise PHP or crontab environments might not find the commands), for example, first run which aws to get full path to aws cli program, in my case it returns /usr/bin/aws, then use that in PHP.


$aws_credentials = 'export AWS_ACCESS_KEY_ID=12345; export AWS_SECRET_ACCESS_KEY=6789; ';
exec($aws_credentials.'/usr/bin/aws cloudfront create-invalidation --distribution-id EZD3J5ZZZJ1TU --paths "/landscape.jpg"', $output);

Getting AWS Access Key ID and AWS Secret Access Key from Amazon AWS

Amazon recommends to create a special user for each function and avoid using your default / root keys in your applications.

On AWS web panel interface I went to "services" and open "IAM" Manage access to AWS resources

Select IAM on aws panel

On IAM page, there is an area called "IAM resources", click the users:

Click IAM users

click "create user" on top right corner:

Click create user

Under username I wrote something like cloudfront-user-for-example-site

No need to check "Provide user access to the AWS Management Console", not for this cloudfront invalidation purpose.

Now it will move to a page saying "Set Permissions", under "Permission Options" first select "Attach policies directly", then click "Create policy":

Click attach policies directly

Now under the policy editor, type in and select CloudFront service:

type in and select CloudFront service

Now under "actions allowed", type in and select "create invalidation":

Select create invalidation under actions allowed

Then click "next" on bottom right corner, on next page give it a policy name and description and again the "create policy" confirmation button on bottom right corner

You will get this confirmation page:

policy created confirmation

Now you can leave this page, the previous page should have remain open in another window, the one where you selected "Attach policies directly" and "Permission policies" underneath. On that page, search and select the new policy name you just created, and click "next" on bottom right corner.

Next button should be last step saying "create user" in bottom right corner.

Now on the list of users, click the user you created, then under "security credentials" tab, click "create access key":

click create access key

Under "use case" select "Command Line Interface (CLI)".

Lastly, you should get a page like this, copy the Access key and Secret access key:

get access keys

These are the Access key and Secret access key that you need during the aws configure command when configuring the aws cli mentioned above.