Connecting Cloudfront to Lambda Function Url Always Result in forbidden

Question

I have setup a lambda function url and cloudfront system
1. Lambda Function Url is straight forward, a function that will return an image or a json value
2. Cloudfront using this setting:
    - Origins:
        - Origin Domain: {LAMBDA FUNCTION URL}
        - Protocol: HTTPS only - TLSv1
        - Enable Origin Shield: No 
    - Behavior: 
        - Viewer: `Redirect HTTP to HTTPS`
        - Allowed HTTP Method: `GET, HEAD`
        - Restrict Viewer Access: `No`
        - Cache Policy: `Managed-CachingDisabled`
        - Origin request policy: `AllViewer`

The result however always return `403 Forbidden` with this body
```
{ "Message": null }
```
And this header
```
X-cache: Error from cloudfront
x-amzn-ErrorType: AccessDeniedException
```

Is there any setting that I missed that cause this error?
I already test direct hit using postman and browser to the function url an it works fine

Accepted Answer

Thanks for the detailed description. You are getting 403 Forbidden due to the origin request policy AllViewer being used. In this case, when you access the website via CloudFront URL, the Host header similar to d12345678.cloudfront.net will be forwarded to the Lambda which will not be recognized, resulting in 403.

The solution is to create your custom origin request policy and only forward the necessary values (but not the Host header.)

The solution is to create your custom [origin request policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) and only forward the necessary values (but not the `Host` header.)

Answer

Please check out this blog if you haven't already - https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/

Connecting Cloudfront to Lambda Function Url Always Result in forbidden

Relevant content