Reputation: 73
AWS Cloudfront on Lambda Function via the Function URL url returning 403 Fobidden
I have setup a lambda function url and cloudfront system
- Lambda Function Url is straight forward, a function that will return an image or a json value
- Cloudfront using this setting:
- Origins:
- Origin Domain: {LAMBDA FUNCTION URL}
- Protocol: HTTPS only - TLSv1
- Enable Origin Shield: No
- Behavior:
- Viewer:
Redirect HTTP to HTTPS - Allowed HTTP Method:
GET, HEAD - Restrict Viewer Access:
No - Cache Policy:
Managed-CachingDisabled - Origin request policy:
AllViewer
- Viewer:
- Origins:
The result however always return 403 Forbidden with this body
{ "Message": null }
And this header
X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException
Is there any setting that I missed that cause this error? I already test direct hit using postman and browser to the function url an it works fine
Upvotes: 7
Views: 4621
Answers (3)
Reputation: 109
Go to lambda function -> configuration -> Function URL -> Change Auth Type to None
Upvotes: -2
Reputation: 1694
UPDATE - In your Origin Request Policy, set the new AllViewerExceptHost managed policy. That will forward all viewer headers except the Host header. Recommend you pair this with the CachingDisabled managed Cache Policy.
The issue could be that you are forwarding the Host header to your origin (Lambda Function URLs) via the AllViewer Origin Request Policy (ORP) that is attached to your cache behavior.
Why does this happen? You are using the AllViewer origin request policy, which forwards all HTTP request headers received from the viewer to your origin. So when CloudFront handles a request for d123.cloudfront.net—or even example.com as a configured CNAME—CloudFront will forward that value in the Host HTTP request header to your Lambda Function URLs origin. Because there is no function URL that resolves to that name, Lambda cannot find the function and returns a 403 Access Denied.
How to resolve: Instead of attaching the AllViewer origin request policy, create a custom origin request policy that forwards only the headers you need. Importantly, do not forward the Host header. Once this is configured, CloudFront will use your origin's hostname as the Host header—which Lambda will be able to resolve.
Upvotes: 11
Reputation: 409
You will probably need to apply a resource based policy on the lambda function to allow cloudfront to invoke it. Go to the lambda function --> configuration --> permissions --> Resource based policy. Add a new permission specifying the arn of the cloudfront distribution and the Action of "lambda:InvokeFunction". Hope this helps?
Upvotes: 0
Related Questions
- The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions
- Restrict Lambda function URL access to CloudFront
- How do I create a HttpOrigin for Cloudfront to use a Lambda function url?
- Using a Lambda function with a CloudFront distribution located in a different AWS account
- CloudFront origin-response return status: '403'
- Cloudfront not using lambda function
- lambda cannot access to s3 bucket restricted by cloudfront
- AWS CloudFront Returns Access Denied from S3 Origin with Query String
- AWS: redirection to Lambda function doesn't work from CloudFront Distribution
- CloudFront responds with 403 Forbidden instead of triggering Lambda