Skip to content

fix(cloudfront-origins): grant lambda:InvokeFunction for FunctionUrlOrigin with OAC (Dual Auth)#37315

Closed
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:fix/cloudfront-furl-oac-dual-auth-clean
Closed

fix(cloudfront-origins): grant lambda:InvokeFunction for FunctionUrlOrigin with OAC (Dual Auth)#37315
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:fix/cloudfront-furl-oac-dual-auth-clean

Conversation

@syukawa-gh
Copy link
Copy Markdown
Contributor

@syukawa-gh syukawa-gh commented Mar 23, 2026

FunctionUrlOrigin.withOriginAccessControl now grants both lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions to the CloudFront service principal. This is required by Lambda's Dual Auth model, which will be enforced after November 1, 2026.

Without this fix, CloudFront distributions using OAC with Lambda Function URLs will fail to invoke the function once the Dual Auth enforcement period begins.

Closes #35872

@syukawa-dev
fix(cloudfront-origins): grant lambda:InvokeFunction for FunctionUrlO…
1c30bc8 
…rigin with OAC (Dual Auth)

FunctionUrlOrigin.withOriginAccessControl now grants both
lambda:InvokeFunctionUrl and lambda:InvokeFunction permissions to the
CloudFront service principal. This is required by Lambda's Dual Auth
model, which will be enforced after November 1, 2026.

Closes aws#35872
@aws-cdk-automation aws-cdk-automation requested a review from a team March 23, 2026 03:37
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Mar 23, 2026
aws-cdk-automation
aws-cdk-automation previously requested changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud pahud mentioned this pull request Mar 23, 2026
Open
@aws-cdk-automation aws-cdk-automation dismissed their stale review March 23, 2026 08:05

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Mar 23, 2026

/rerun-failed-checks

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Mar 23, 2026
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Mar 24, 2026

Superseded by new PR - the original accidentally overwrote an existing integ test file (integ.function-url-origin-oac.ts).

@syukawa-gh syukawa-gh closed this Mar 24, 2026
@syukawa-gh syukawa-gh mentioned this pull request Mar 24, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 24, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cloudfront: FunctionUrlOrigin.withOriginAccessControl does not grant required lambda:InvokeFunction for Dual Auth

3 participants

@syukawa-gh @aws-cdk-automation @syukawa-dev