I have setup a lambda function url and cloudfront system
- Lambda Function Url is straight forward, a function that will return an image or a json value
- Cloudfront using this setting:
- Origins:
- Origin Domain: {LAMBDA FUNCTION URL}
- Protocol: HTTPS only – TLSv1
- Enable Origin Shield: No
- Behavior:
- Viewer:
Redirect HTTP to HTTPS
- Allowed HTTP Method:
GET, HEAD
- Restrict Viewer Access:
No
- Cache Policy:
Managed-CachingDisabled
- Origin request policy:
AllViewer
- Viewer:
- Origins:
The result however always return 403 Forbidden
with this body
{ "Message": null }
And this header
X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException
Is there any setting that I missed that cause this error?
I already test direct hit using postman and browser to the function url an it works fine
2
Answers
You will probably need to apply a resource based policy on the lambda function to allow cloudfront to invoke it. Go to the lambda function –> configuration –> permissions –> Resource based policy. Add a new permission specifying the arn of the cloudfront distribution and the Action of "lambda:InvokeFunction". Hope this helps?
UPDATE – In your Origin Request Policy, set the new AllViewerExceptHost managed policy. That will forward all viewer headers except the
Host
header. Recommend you pair this with theCachingDisabled
managed Cache Policy.The issue could be that you are forwarding the
Host
header to your origin (Lambda Function URLs) via the AllViewer Origin Request Policy (ORP) that is attached to your cache behavior.Why does this happen? You are using the AllViewer origin request policy, which forwards all HTTP request headers received from the viewer to your origin. So when CloudFront handles a request for
d123.cloudfront.net
—or evenexample.com
as a configured CNAME—CloudFront will forward that value in theHost
HTTP request header to your Lambda Function URLs origin. Because there is no function URL that resolves to that name, Lambda cannot find the function and returns a 403 Access Denied.How to resolve: Instead of attaching the AllViewer origin request policy, create a custom origin request policy that forwards only the headers you need. Importantly, do not forward the
Host
header. Once this is configured, CloudFront will use your origin’s hostname as the Host header—which Lambda will be able to resolve.