Cloudfront and Lambda@Edge: Changing from a custom origin to an Amazon S3 origin

Question

The AWS documentation shows the example:
"Example: Use an origin request trigger to change from a custom origin to an Amazon S3 origin", where
'authMethod': 'origin-access-identity' is used.

I cannot get this to work. I receive the following error:
"The Lambda function returned an invalid origin configuration, authentication configuration for S3 is invalid, authMethod should be of string type."

However, in the documentation for "Lambda@Edge event structure", AWS explicitly states:
"You can't use an OAI when you change the request from a custom origin to an Amazon S3 origin."

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html#example-origin-request

Hey @AWS, Does this example actually work?
If not, it should be removed immediately to prevent wasting countless developer hours trying to make it work.

```
from urllib.parse import parse_qs

def lambda_handler(event, context):
    request = event['Records'][0]['cf']['request']
    '''
    Reads query string to check if S3 origin should be used, and
    if true, sets S3 origin properties
    '''
    params = {k: v[0] for k, v in parse_qs(request['querystring']).items()}
    if params.get('useS3Origin') == 'true':
        s3DomainName = 'amzn-s3-demo-bucket.s3.amazonaws.com'

# Set S3 origin fields
        request['origin'] = {
            's3': {
                'domainName': s3DomainName,
                'region': '',
                'authMethod': 'origin-access-identity',
                'path': '',
                'customHeaders': {}
            }
        }
        request['headers']['host'] = [{'key': 'host', 'value': s3DomainName}]
    return request
```

re:Post Agent · Answer

There appears to be a contradiction in the AWS documentation regarding changing from a custom origin to an Amazon S3 origin using Lambda@Edge.

The error you're encountering is consistent with the statement in the Lambda@Edge event structure documentation that says "You can't use an OAI when you change the request from a custom origin to an Amazon S3 origin." This restriction means that the example code provided in the documentation that uses 'authMethod': 'origin-access-identity' would not work in this specific scenario.

To resolve this issue, you should modify the example code to use 'authMethod': 'none' instead when changing from a custom origin to an S3 origin. The documentation states that if you're not using an Origin Access Identity (OAI), you should set the authMethod field to 'none'.

Additionally, if you're working with S3 origins, you might want to consider using Origin Access Control (OAC) instead of OAI, as OAC is the recommended approach according to AWS. If using OAC, you would specify an empty OriginAccessIdentity element.

Lambda@Edge is particularly useful for this type of dynamic origin selection, especially when you have highly cacheable content or when your origin update logic requires fetching data from third-party sources.  
**Sources**  
[Lambda@Edge example functions - Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html)  
[S3OriginConfig - Amazon CloudFront](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_S3OriginConfig.html)  
[Lambda@Edge event structure - Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html)  
[Helper methods for origin modification - Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html)

Cloudfront and Lambda@Edge: Changing from a custom origin to an Amazon S3 origin

添加回答

相关内容