Menu
I have 2 python lambda functions in the same AWS account. Function 1 has the function url ability enabled, with AWS_IAM authentication enabled. Function 2 is designed to call function 1, using the urllib library. I have set up the following resource policy on Function 1
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "my-custom-id001",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/Function-2-role"
},
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:ap-southeast-2:xxxxxxxxxxxx:function:Function-1",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}
]
}
I would expect this would allow Function 2 to invoke Function 1, but I get a 403 Forbidden when I try from the AWS Console (by using 'test' on Function 2). I know it's not the code at either end, as the invocation works fine when I change the authentication from AWS_IAM to NONE. Where am I going wrong? I've also tried instead to give Function 2 an explicit policy allowing it to invoke the function url of Function 1, with the same result:
Policy on Function 2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:ap-southeast-2:xxxxxxxxxxxx:function:Function-1"
}
]
}
738
Your configuration is correct and should work in the same and different accounts, the only part is missing is adding AWS Signature V4 to each request.
If your function URL uses the AWS_IAM auth type, you must sign each HTTP request using AWS Signature Version 4 (SigV4). Tools such as awscurl, Postman, and AWS SigV4 Proxy offer built-in ways to sign your requests with SigV4.
Refer to this documentation https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html and choose the suited library for your technology.
187
answered May 08 '26 07:05
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
