2回答
- 新しい順
- 投票が多い順
- コメントが多い順
0
Hello.
Are you accessing the Lambda URL directly?
Are you accessing the CloudFront URL (https://example.cloudfront.net/) instead of the Lambda URL?
Also, is the CloudFront distribution ID set in the Lambda resource-based policy correct?
0
Ok, I found what I missed ! The Policy was good BUT the function URL Auth type must be set to "AWS_IAM" ! This part was not described in the AWS documentation. Thanks for your help @Riku_Kobayashi
Here is my policy that works :
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:region:accountid:function:myFunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::accountid:distribution/distribID"
}
}
}
]
}
```
回答済み 1ヶ月前
@willysup - I am having similar issues however it only doesn't work when I send a POST with body data to CF to send to the lambda. If you POST with body data does it succesfully send to your lambda?
I can't access the URL, directly or using the distribution url. Always the same error : {"Message":"Forbidden"} On the lambda ressource-based policy, il I add the default public policy, the url is accessible (directly or using cloudfront url).
By the way, is the authentication method for the Lambda function URL set to IAM authentication?
If the authentication method is IAM, you can access it from CloudFront if the following resource-based policy is set for Lambda.
If the authentication method was "NONE", access was not possible without the following resource-based policy.
No it is not, as the documentation does not ask to configure it. This is the configuration described in the doc :
But I tried to set it, but it doesn't seemed to work either. This is my current Lambda Policy (without IAM autnentication):
I tried this one but it doesn't work either: