From 55ea8f8532678ae451881cba98233ad145f90447 Mon Sep 17 00:00:00 2001
From: Jake Howard <jake.howard@torchbox.com>
Date: Thu, 5 Jan 2023 11:20:42 +0000
Subject: [PATCH] Document the policy needed to create invalidations in
 CloudFront

---
 docs/reference/contrib/frontendcache.md | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs/reference/contrib/frontendcache.md b/docs/reference/contrib/frontendcache.md
index d4e8d0d21b..74c64a85cb 100644
--- a/docs/reference/contrib/frontendcache.md
+++ b/docs/reference/contrib/frontendcache.md
@@ -105,7 +105,21 @@ WAGTAILFRONTENDCACHE = {
 }
 ```
 
-Configuration of credentials can done in multiple ways. You won't need to store them in your Django settings file. You can read more about this here: [Boto 3 Docs](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html).
+Configuration of credentials can done in multiple ways. You won't need to store them in your Django settings file. You can read more about this here: [Boto 3 Docs](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html). The user will need a policy similar to:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowWagtailFrontendInvalidation",
+            "Effect": "Allow",
+            "Action": "cloudfront:CreateInvalidation",
+            "Resource": "arn:aws:cloudfront::<account id>:distribution/<distribution id>"
+        }
+    ]
+}
+```
 
 In case you run multiple sites with Wagtail and each site has its CloudFront distribution, provide a mapping instead of a single distribution. Make sure the mapping matches with the hostnames provided in your site settings.