POST request fails due Origin access control on Cloudfront

Question

I have (more or less) the following configuration on Cloudfront
/api/* goes to lambda, without caching
(*) to S3 with caching

GET, and DELETE request to API are working fine over /api/*
but POST fails with a 403 error

- Cloudfront returns:
  "Error from cloudfront" in the x-cache header and "InvalidSignatureException" at X-Amzn-Errortype

Cloudfront are configured with the new Origin access control.

I see the new permissions at "Resource-based policy statements"

```json
{
  "ArnLike": {
    "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E3xxxxxxxxSC"
  }
}
```

If I remove the Origin Access Control, and made the lambda URL public, everything works fine but not is the desired behavior.
Is this new feature incompatible with post requests?

Leo K · Accepted Answer

There's a similar discussion at https://repost.aws/questions/QUF-r_6HrRRf2MZAdxYGkX7Q/lambda-function-url-using-cloudfront-oac where it seems they got IAM-authenticated calls to a Lambda origin working with OAC to the same point as you have, but the question someone raised about POSTs still not working appears to have been left open.

Someone else might have more insight on this specific situation, but I'd suggest raising a support ticket to AWS in your account, if you have that option. Either support might know of a solution discovered earlier, or if not, the CloudFront and Lambda service teams at AWS certainly would know if a solution exists.

shoelessone · Answer

I have the same issue, and the same open question.

POST request fails due Origin access control on Cloudfront

Add your answer

Relevant content