By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront does not seem to invoke lambda@edge function

0

I have a CloudFront distribution. The origin is an S3 object that uses OAI.

I have created a lambda@edge function following directions from https://aws.amazon.com/blogs/compute/implementing-default-directory-indexes-in-amazon-s3-backed-amazon-cloudfront-origins-using-lambdaedge/

Basically, I want the lambda@edge function to redirect URLs ending in / to /index.html. Acting like Apache DirectroyIndex.

The CloudFront distribution works for URLs without the redirect requirement. But CloudFront does not seem to invoke my lamba@edge function.

I have ensured, there is a correct association between the CloudFront distribution and the labda@edge function version.

I made several test requets:

 curl -I https://www.sudheer.net/blog/
HTTP/2 403 
content-type: application/xml
date: Sat, 19 Feb 2022 14:35:38 GMT
server: AmazonS3
x-cache: Error from cloudfront
via: 1.1 5d840d432727e3561fd1a3de915212ca.cloudfront.net (CloudFront)
x-amz-cf-pop: EWR53-C2
x-amz-cf-id: leub-Kgu4Bh9xH4Rn5o7bxs62B1NBO4ViEu6hv-_xtGG7DSQlBFEXw=

I get 403. I did not find any lambda@edge logs in any region.

What could be the issue? How do I go about finding it?

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
AWS-User-9269306
asked 2 years ago1173 views
2 Answers
0

A 403 error is a permissions issue. Check if the the IAM role attached to your Lambda@Edge function can be assumed by the service principals lambda.amazonaws.com and edgelambda.amazonaws.com. Here's a documentation for details: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html#lambda-edge-permissions-function-execution

profile picture
joahna
answered 2 years ago
  • AWS-User-9269306
    2 years ago

    The Lambda@Edge function has the principals:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "edgelambda.amazonaws.com",
                    "lambda.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
0

Greetings,

I see that you are having issues with CloudFront not invoking your Lambda@Edge function. It is important to note the HTTP 403 error you are getting, which indicates a permissions error.

You stated that the CloudFront distribution works correctly when your Lambda@Edge is not called, which indicates that this 403 error is a result of misconfigured IAM permissions of the Lambda@Edge function.

It appears from your response that your Trust Policy for the Lamda@Edge function is correctly configured, which leaves the execution role you specified upon creation of the Lamda@Edge function.

You should select "Create a new role from AWS policy templates", and then select "Basic Lambda@Edge permissions (for CloudFront trigger)" Policy template to correctly configure the IAM permissions for the Lamda@Edge function.

Hope this helps!

For reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html

Ben
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content