AWS Cloudfront: Credential should be scoped to a valid region

Question

When connecting to AWS CloudFront via the API, no matter what I do, I get the Exception:

Credential should be scoped to a valid region

The same credentials work on any other request the account has permissions for, like S3.

Answer 1

The Exception is caused by accessing CloudFront with any Region set other than "us-east-1". Because CloudFront is basically regionless, it requires you to use only the default region "us-east-1" to talk to it.

http://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html

You can workaround this by using the same credentials you use elsewhere but instantiate the CloudFront client with the Region explicitly set:

AmazonCloudFrontClient client = new AmazonCloudFrontClient(Amazon.RegionEndpoint.USEast1);

Which does beg the follow-on question: Why does the API not just do this for you?

Edit: Issue posted. https://github.com/aws/aws-sdk-net/issues/115

Answer 2

This answer is for anyone who's trying to resolve Credential should be scoped to a valid region error in general

You'll receive the same type of invalid Region response from Amazon products that are available in multiple Regions if you submit requests to a Region that differs from the Region specified in your credential scope.

The credential must also specify the correct Region for the service and action in your request.

from https://docs.amazonaws.cn/en_us/general/latest/gr/signature-v4-troubleshooting.html

In simple terms, the region you have set should match with the region mentioned in your query (sdk api call, rest api call or any other)

If you still get the same error even after specifying the same region, it's probably because the query format expects region name in the endpoint like https://elasticloadbalancing.eu-west-1.amazonaws.com