How to add IAM permission to cloudfront in order to associate lambda@edge?

Question

I am trying to update my CloudFront distribution using CDK. While updating, it mentions this error message.

Lambda@Edge cannot retrieve the specified Lambda function. Update the IAM policy to add permission: lambda:GetFunction for resource: arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:1

After inspecting, i found this aws docs link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html

However i am unable to understand where to add these permissions, can somebody guide me where to add lambda:GetFunction permission.

CDK Code

 const uriRedirector = new cloudfront.experimental.EdgeFunction(
      this,
      'UriRedirector',
      {
        code: lambda.Code.fromAsset('dist/events/object-cache/uri-redirector'),
        runtime: lambda.Runtime.NODEJS_14_X,
        handler: 'index.handle',
      }
    )

this.distribution = new cloudfront.Distribution(this, 'Distribution2', {
      defaultBehavior: {
        origin: s3Origin,
        edgeLambdas: [
          {
            functionVersion: uriRedirector.currentVersion,
            eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
          },
        ],
        originRequestPolicy: defaultBehaviourOriginRequestPolicy,
        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.HTTPS_ONLY,
        allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
      },
....
enter code here
const cfnDistribution = this.distribution.node
  .defaultChild as cloudfront.CfnDistribution
cfnDistribution.overrideLogicalId(props.oldDistributionLogicalId)

Answer 1

The error is misleading. Though it says that Lambda@Edge needs lambda:GetFunction permission, it's really the user or role that creates (or updates) a CloudFront distribution that needs this and a few more permissions. You can find all the permissions needed in IAM permissions required to associate Lambda@Edge functions with CloudFront distributions section. iam:CreateServiceLinkedRole is used to create a service role only once, I usually don't include it.

Also note, that all lambda:... permissions should have a lambda function version ARN, like arn:aws:lambda:us-east-1:123456789012:function:my-function:2, which is very inconvenient. Function ARN arn:aws:lambda:us-east-1:123456789012:function:my-function won't work. Fortunately, you can replace the version with *, like arn:aws:lambda:us-east-1:123456789012:function:my-function:*

Your user or role policy should have statements like the following:

{
    "Effect": "Allow",
    "Action": [
        "lambda:GetFunction",
        "lambda:EnableReplication*",
        "lambda:DisableReplication*"
    ],
    "Resource": [
        "arn:aws:lambda:us-east-1:123456789012:function:my-function:*"
    ]
},
{
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateDistribution"
    ],
    "Resource": [
        "*"
    ]
}

Answer 2

You will create IAM policy in IAM and attach policy to user or role
By default AWS Lambda automatically create role you can attach policy to role

Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Lambda",
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:ListTags",
        "lambda:RemovePermission",
        "lambda:TagResource",
        "lambda:UntagResource",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:GetLayerVersion"
      ],
      "Resource": [
        "arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:*"
      ]
    }
  ]
}