By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda Function URL Behind CloudFront "InvalidSignatureException" only on POST

1

I have a lambda setup with a function URL behind a cloudfront distribution. The Lambda has IAM_AUTH enabled and the cloudfront distrubtion succesfully forwards GET requests to the lambda without any issues. The CF uses an OAC to sign requests to the lambda. I can even send a POST (but with no body) and I get the lambda to reply. Once I include any body content I recieve the following error:


{
    "message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."
}

Relevant behaviour on the CF: Enter image description here

This is true for all methods. I am able to send a DELETE fine, but if I include a body in the request I get the above error.

Topics
ServerlessComputeNetworking & Content Delivery
Tags
AWS LambdaAmazon CloudFront
Language
English
Braiden
asked a month ago257 views
1 Answer
2
Accepted Answer

POST methods requires signing.

As per Restricting access to an AWS Lambda function URL origin

If you use PUT or POST methods with your Lambda function URL, your user must provide a signed payload to CloudFront. Lambda doesn't support unsigned payloads.

AWS
EXPERT
Mike_L
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed a month ago
  • Braiden
    a month ago

    @Mike, thank you for the answer! That will explain what I am seeing. Exuse my misunderstanding but does that mean the end user needs to sign the payload following sigv4? How does this work with Cloudfront's OAC, what credentials would the end-user use? I was under the impression it would do the signing for us, essentially proxying the request.

  • Mike_L EXPERT
    a month ago

    @Braiden, OAC signs requests to Lambda function URL, just not for POST/PUT request currently. If you need POST without end-user signing, a possible solution to sign them using Lambda@Edge as per https://aws.amazon.com/blogs/compute/protecting-an-aws-lambda-function-url-with-amazon-cloudfront-and-lambdaedge/

  • Braiden
    a month ago

    @Mike_L not sure if this is intended but all I had to do, to get this to work was include a "x-Amz-Content-Sha256" header with the hash of the payload in my request. That made it work, with auth still enabled on the lambda URL. Weird but.. nice!

  • Craig Burdulis
    5 days ago

    Adding the X-Amz-Content-Sha256 also worked for me, but it's really unfortunate that CF isn't able to just add the hash dynamically for you.

    Are there plans for OACs to also support POST/PUT requests?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content