By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Could not intercept viewer request with lambda edge

0

I am trying to implement OIDC flow for my CDN application, As a starting point wanted to intercept the request to CDN through Lamda Edge Viewer request. Created a Sample Lambda edge function with the following code just to intercept the flow:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;

    // Add custom header to request headers
    headers['x-custom-header'] = [{ key: 'X-Custom-Header', value: 'MyCustomValue' }];

    // Return the modified request to CloudFront

	return {
		status: '302',
		statusDescription: 'Found',
		body: 'Redirecting to OIDC provider',
		headers: {
			location: [
				{
					key: 'Location',
					value: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=asdsa-0a7d-40d7-bd35-XXX`
				}
			]
		}
	};
};

And attached the roles:

Trusted relation Ship: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "edgelambda.amazonaws.com", "lambda.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudfront:ListDistributions", "cloudfront:UpdateDistribution", "cloudfront:GetDistributionConfig" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudfrontLambdaRoleCloudFrontPermissions" }, { "Action": [ "s3:PutBucketAcl", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::*", "Effect": "Allow", "Sid": "CloudfrontLambdaRoleS3Permissions" }, { "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:*:ACCID:*", "Effect": "Allow", "Sid": "CloudfrontLambdaRoleCreateLogGroupPermissions" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:ACC_ID:log-group:/aws/lambda/*:*", "Effect": "Allow", "Sid": "CloudfrontLambdaRoleLogsStreamLogEventsPermissions" } ] }

**ATTACHED LambdaEdge to CDN AS ** Viewer request Lambda@Edge arn:aws:lambda:us-east-1:ACC_ID:function:oidc-handler:1

But when I access CDN I get following error:

503 ERROR The request could not be satisfied. The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions.

Could you please if I am missing any further steps:

Topics
ServerlessComputeNetworking & Content Delivery
Tags
AWS LambdaAmazon CloudFront
Language
English
Govula Srinivas
asked 9 months ago351 views
1 Answer
0

Hi, you should initially try with AWSLambdaBasicExecutionRole.

See https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html for its detailled JSON policy document.

When this works, you can move from there by extending this basic role to match your specific requriements.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content