2 Answers
- Newest
- Most votes
- Most comments
0
Hello.
Are you accessing the Lambda URL directly?
Are you accessing the CloudFront URL (https://example.cloudfront.net/) instead of the Lambda URL?
Also, is the CloudFront distribution ID set in the Lambda resource-based policy correct?
0
Ok, I found what I missed ! The Policy was good BUT the function URL Auth type must be set to "AWS_IAM" ! This part was not described in the AWS documentation. Thanks for your help @Riku_Kobayashi
Here is my policy that works :
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:region:accountid:function:myFunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::accountid:distribution/distribID"
}
}
}
]
}
```
answered 14 days ago
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
I can't access the URL, directly or using the distribution url. Always the same error : {"Message":"Forbidden"} On the lambda ressource-based policy, il I add the default public policy, the url is accessible (directly or using cloudfront url).
By the way, is the authentication method for the Lambda function URL set to IAM authentication?
If the authentication method is IAM, you can access it from CloudFront if the following resource-based policy is set for Lambda.
If the authentication method was "NONE", access was not possible without the following resource-based policy.
No it is not, as the documentation does not ask to configure it. This is the configuration described in the doc :
But I tried to set it, but it doesn't seemed to work either. This is my current Lambda Policy (without IAM autnentication):
I tried this one but it doesn't work either: