Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-lambda/aws-cloudfront): FunctionUrls cannot be added to cloudfront as a http origin

See original GitHub issue

Describe the bug

When trying to connect a function url into a cloudfront distribution with a HttpOrigin fails

Resource handler returned message: "Invalid request provided: The parameter origin name cannot contain a colon.

Expected Behavior

I would expect to be able to add a LambdaFunctionURL to Cloudfront

Current Behavior

Deployment fails

 ❌  LambdaHttp failed: Error: The stack named LambdaHttp failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: The parameter origin name cannot contain a colon. (Service: CloudFront, Status Code: 400, Request ID: 76dfc5ad-2e21-44db-bfd0-023d08d8a427)" (RequestToken: 925d656b-5ec5-f4fb-e0eb-a37db550d1c1, HandlerErrorCode: InvalidRequest)
    at prepareAndExecuteChangeSet (/home/blacha/tmp/lambda-http/node_modules/aws-cdk/lib/api/deploy-stack.ts:382:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at CdkToolkit.deploy (/home/blacha/tmp/lambda-http/node_modules/aws-cdk/lib/cdk-toolkit.ts:209:24)
    at initCommandLine (/home/blacha/tmp/lambda-http/node_modules/aws-cdk/lib/cli.ts:341:12)

 The stack named LambdaHttp failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: The parameter origin name cannot contain a colon. (Service: CloudFront, Status Code: 400, Request ID: 76dfc5ad-2e21-44db-bfd0-023d08d8a427)" (RequestToken: 925d656b-5ec5-f4fb-e0eb-a37db550d1c1, HandlerErrorCode: InvalidRequest)

Reproduction Steps

Given a lambda and cloudfront distribution, trying to hook them together using a HttpOrigin

const lambda = new NodejsFunction(this, 'Lambda', { entry: './echo.js', })
const functionUrl = new FunctionUrl(this, 'LambdaFunctionUrl', { function: lambda, authType: FunctionUrlAuthType.NONE, cors: { allowedOrigins: ['*'] } })
const cf = new Distribution(this, 'Cloudfront', {
  defaultBehavior: {
    origin: new origins.HttpOrigin(functionUrl.url),
    allowedMethods: AllowedMethods.ALLOW_ALL,
    originRequestPolicy: OriginRequestPolicy.ALL_VIEWER
  }
})
new CfnOutput(this, 'CloudfrontUrl', { value: cf.distributionDomainName })
new CfnOutput(this, 'LambdaUrl', { value: functionUrl.url })

Possible Solution

No response

Additional Information/Context

I am assuming that HttpOrigin is how you would expect to connect these, I couldnt see anything in github/docs about how to connect a functionurl to cloudfront.

When creating the function url in the AWS Console then manually connecting them it works fine.

CDK CLI Version

2.21.1 (build a6ee543)

Framework Version

No response

Node.js Version

v16.14.2

OS

Ubuntu 22.04 LTS

Language

Typescript

Language Version

Javascript

Other information

No response

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:2
  • Comments:6

github_iconTop GitHub Comments

2reactions
huntharocommented, May 2, 2022

@blacha - The problem is that Lambda URLs are rejecting requests from CloudFront that have the Host header set to the edge host name and not to the Lambda URL host name.

We were just talking to an AWS PM about this on Friday. Because Lambda URLs use exclusively HTTPS they do not need the Host header for multiplexing of many hosts on single IPs (they will use the SNI for that).

But, currently, including the Host header causes the request to be rejected if it’s not the Lambda URL hostname.

Options:

  • Do not set an Origin Request Policy - In this case either no headers are forwarded at all or the Host header is there but it’s the Lambda URL hostname - the originRequestPolicy is optional in the Distribution - If you just do not specify one then the requests will go through.
  • Do set an Origin Request Policy with allow list - Use an allow list to forward only specific headers, not including the Host header
  • Do set an Origin Request Policy - forward all headers then use an Origin Request header to set the Host header back to request.custom.origin.domainName (IIRC) - This will cause Lambda URL to receive the correct hostname in the header (can confirm this works, it’s a technique I use) - Kind of a lame usage of an origin request lambda…
  • CORS Custom Origin? - This is the option you used… I suspect this works only because it may be not sending the Host header (and possibly no other headers). I tried sending an Origin header with a mismatched Host and could not get it to work, thus my suspicion on what is happening.

Hope this helps. By the way… you can also sign the origin requests using SignatureV4 from CloudFront using an Origin Request Lambda @ Edge Function then enable AWS_IAM auth on your Lambda URLs. I have projects that are using this technique now, which is part of the reason why I ran into the Host header issue (which is similar for API Gateway).

1reaction
shorncommented, Apr 28, 2022

the other slightly weird behaviour was that having a originRequestPolicy: OriginRequestPolicy.ALL_VIEWER caused cloudfront to error and respond {Message: null }

You can use a custom policy like this: example custom request policy

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using various origins with CloudFront distributions
You can use various different origins with Amazon CloudFront, including Amazon ... with function URLs, you can add CloudFront to get the following...
Read more >
AWS Cloudfront on Lambda Function via the Function URL url ...
The issue could be that you are forwarding the Host header to your origin (Lambda Function URLs) via the AllViewer Origin Request Policy ......
Read more >
How do I resolve the CloudFront error "No Access ... - YouTube
Your browser can't play this video. ... Rishu shows you how to resolve the CloudFront error "No Access-Control-Allow - Origin header.
Read more >
Restrictions on edge functions - Amazon CloudFront
Edge functions for viewer response events cannot modify the HTTP status code of the response, regardless of whether the response came from the...
Read more >
CloudFront to Lambda URLs - Serverless Land
Front AWS Lamda Function URLs with Amazon CloudFront ... http2 IPV6Enabled: true Comment: Distribution with Lambda Function URL Origins: - DomainName: !
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

cli: Cloud assembly schema version mismatch with latest versions

Next page

CfnStack: Incorrect stack name