Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Connecting Cloudfront to Lambda Function Url Always Result in forbidden

3

I have setup a lambda function url and cloudfront system

  1. Lambda Function Url is straight forward, a function that will return an image or a json value
  2. Cloudfront using this setting:
    • Origins:
      • Origin Domain: {LAMBDA FUNCTION URL}
      • Protocol: HTTPS only - TLSv1
      • Enable Origin Shield: No
    • Behavior:
      • Viewer: Redirect HTTP to HTTPS
      • Allowed HTTP Method: GET, HEAD
      • Restrict Viewer Access: No
      • Cache Policy: Managed-CachingDisabled
      • Origin request policy: AllViewer

The result however always return 403 Forbidden with this body

{ "Message": null }

And this header

X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException

Is there any setting that I missed that cause this error? I already test direct hit using postman and browser to the function url an it works fine

Topics
ServerlessComputeNetworking & Content Delivery
Tags
Amazon CloudFrontAWS Lambda
Language
English
asked 3 years ago4.6K views
3 Answers
3
Accepted Answer

Thanks for the detailed description. You are getting 403 Forbidden due to the origin request policy AllViewer being used. In this case, when you access the website via CloudFront URL, the Host header similar to d12345678.cloudfront.net will be forwarded to the Lambda which will not be recognized, resulting in 403.

The solution is to create your custom origin request policy and only forward the necessary values (but not the Host header.)

AWS
answered 3 years ago
  • ndk-fj
    3 years ago

    Thank you, it works so well, for my case, I also need to also forward origin and user-agent but it is because of my lambda function code.

0

This has to be configured at both ends: in the lambda and in CloudFront.

Function URL configuration:

  • Auth type: AWS_IAM
  • CORS are irrelevant if no CORS protocol is involved, but you are likely to run into them even with localhost

CloudFront configuration:

  • origin access with signed requests
  • CachingDisabled policy
  • OPTIONS caching setting is irrelevant since caching is disabled via CachingDisabled policy
  • Managed-AllViewerExceptHostHeader request policy
  • No response policy

This blog post has several detailed examples of different configurations that work: https://dev.to/rimutaka/aws-lambda-with-cloudfront-cors-authorization-and-caching-examples-1i9c

answered a year ago
-2

Please check out this blog if you haven't already - https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/

AWS
EXPERT
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content