Could not intercept viewer request with lambda edge

Question

I am trying to implement OIDC flow for my CDN application,
As a starting point wanted to intercept the request to CDN through Lamda Edge Viewer request. 
Created a Sample Lambda edge function with the following code just to intercept the flow:

```
exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;

// Add custom header to request headers
    headers['x-custom-header'] = [{ key: 'X-Custom-Header', value: 'MyCustomValue' }];

// Return the modified request to CloudFront

return {
		status: '302',
		statusDescription: 'Found',
		body: 'Redirecting to OIDC provider',
		headers: {
			location: [
				{
					key: 'Location',
					value: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=asdsa-0a7d-40d7-bd35-XXX`
				}
			]
		}
	};
};
```

And attached the roles:

**Trusted relation Ship:**
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "edgelambda.amazonaws.com",
                    "lambda.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:UpdateDistribution",
                "cloudfront:GetDistributionConfig"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CloudfrontLambdaRoleCloudFrontPermissions"
        },
        {
            "Action": [
                "s3:PutBucketAcl",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow",
            "Sid": "CloudfrontLambdaRoleS3Permissions"
        },
        {
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:*:ACCID:*",
            "Effect": "Allow",
            "Sid": "CloudfrontLambdaRoleCreateLogGroupPermissions"
        },
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:ACC_ID:log-group:/aws/lambda/*:*",
            "Effect": "Allow",
            "Sid": "CloudfrontLambdaRoleLogsStreamLogEventsPermissions"
        }
    ]
}`

**ATTACHED LambdaEdge to CDN AS **
Viewer request
Lambda@Edge
arn:aws:lambda:us-east-1:ACC_ID:function:oidc-handler:1

But when I access CDN I get following error:

503 ERROR
The request could not be satisfied.
The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions.

Could you please if I am missing any further steps:

Answer

Hi, you should initially try with AWSLambdaBasicExecutionRole.

See https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html for its detailled JSON policy document.

When this works, you can move from there by extending this basic role to match your specific requriements.

Best,

Didier

Could not intercept viewer request with lambda edge

관련 콘텐츠