diff --git a/deploy/cloudfront.go b/deploy/cloudfront.go
index 2f673dc97b2..8ed9b858d91 100644
--- a/deploy/cloudfront.go
+++ b/deploy/cloudfront.go
@@ -18,6 +18,7 @@ package deploy
 
 import (
 	"context"
+	"net/url"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -26,14 +27,18 @@ import (
 )
 
 // InvalidateCloudFront invalidates the CloudFront cache for distributionID.
-// It uses the default AWS credentials from the environment.
-func InvalidateCloudFront(ctx context.Context, distributionID string) error {
-	sess, err := gcaws.NewDefaultSession()
+// Uses AWS credentials config from the bucket URL.
+func InvalidateCloudFront(ctx context.Context, target *Target) error {
+	u, err := url.Parse(target.URL)
+	if err != nil {
+		return err
+	}
+	sess, _, err := gcaws.NewSessionFromURLParams(u.Query())
 	if err != nil {
 		return err
 	}
 	req := &cloudfront.CreateInvalidationInput{
-		DistributionId: aws.String(distributionID),
+		DistributionId: aws.String(target.CloudFrontDistributionID),
 		InvalidationBatch: &cloudfront.InvalidationBatch{
 			CallerReference: aws.String(time.Now().Format("20060102150405")),
 			Paths: &cloudfront.Paths{
diff --git a/deploy/deploy.go b/deploy/deploy.go
index 60a3da36382..26fac897544 100644
--- a/deploy/deploy.go
+++ b/deploy/deploy.go
@@ -271,7 +271,7 @@ func (d *Deployer) Deploy(ctx context.Context) error {
 				}
 			} else {
 				d.logger.Println("Invalidating CloudFront CDN...")
-				if err := InvalidateCloudFront(ctx, d.target.CloudFrontDistributionID); err != nil {
+				if err := InvalidateCloudFront(ctx, d.target); err != nil {
 					d.logger.Printf("Failed to invalidate CloudFront CDN: %v\n", err)
 					return err
 				}