docs(cloudfront): specify that cloudront does not support updating the key (#34676)

leonmk-aws · web-flow · commit 96b494d22214 · 2025-06-11T09:30:34.000Z
### Issue # (if applicable) Related to #15301. ### Reason for this change The error message returned by cloudformation when trying to update a public key is not helping user diagnose that the updating of certain fields of a PublicKey is not supported. ### Description of changes Updated the doc to reflect that updating the fields is not allowed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md
@@ -1247,6 +1247,14 @@ new cloudfront.KeyGroup(this, 'MyKeyGroup', {
 });
 ```
 
+When using a CloudFront PublicKey, only the `comment` field can be updated after creation. Fields such as `encodedKey` and `publicKeyName` are immutable, as outlined in the [API Reference](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdatePublicKey.html). Attempting to modify these fields will result in an error:
+```
+Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey"
+```
+
+To update the `encodedKey`, you must change the logical ID of the public key resource in your template. This causes CloudFormation to create a new `cloudfront.PublicKey` resource and delete the old one during the next deployment.
+
+
 See:
 
 - <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html>
