Question 95719 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS Cloudfront on Lambda Function via the Function URL url returning 403 Fobidden – Amazon web services

I have setup a lambda function url and cloudfront system

  1. Lambda Function Url is straight forward, a function that will return an image or a json value
  2. Cloudfront using this setting:
    • Origins:
      • Origin Domain: {LAMBDA FUNCTION URL}
      • Protocol: HTTPS only – TLSv1
      • Enable Origin Shield: No
    • Behavior:
      • Viewer: Redirect HTTP to HTTPS
      • Allowed HTTP Method: GET, HEAD
      • Restrict Viewer Access: No
      • Cache Policy: Managed-CachingDisabled
      • Origin request policy: AllViewer

The result however always return 403 Forbidden with this body

{ "Message": null }

And this header

X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException

Is there any setting that I missed that cause this error?
I already test direct hit using postman and browser to the function url an it works fine

Tags:

2

Answers


  1. 0

    You will probably need to apply a resource based policy on the lambda function to allow cloudfront to invoke it. Go to the lambda function –> configuration –> permissions –> Resource based policy. Add a new permission specifying the arn of the cloudfront distribution and the Action of "lambda:InvokeFunction". Hope this helps?

    Login or Signup to reply.
  2. 0

    UPDATE – In your Origin Request Policy, set the new AllViewerExceptHost managed policy. That will forward all viewer headers except the Host header. Recommend you pair this with the CachingDisabled managed Cache Policy.

    The issue could be that you are forwarding the Host header to your origin (Lambda Function URLs) via the AllViewer Origin Request Policy (ORP) that is attached to your cache behavior.

    Why does this happen? You are using the AllViewer origin request policy, which forwards all HTTP request headers received from the viewer to your origin. So when CloudFront handles a request for d123.cloudfront.net—or even example.com as a configured CNAME—CloudFront will forward that value in the Host HTTP request header to your Lambda Function URLs origin. Because there is no function URL that resolves to that name, Lambda cannot find the function and returns a 403 Access Denied.

    How to resolve: Instead of attaching the AllViewer origin request policy, create a custom origin request policy that forwards only the headers you need. Importantly, do not forward the Host header. Once this is configured, CloudFront will use your origin’s hostname as the Host header—which Lambda will be able to resolve.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search