New AWS Lambda URLs - has anyone got the 'secure' version with the AWS_IAM working?

Question

I have a simple function that returns an item of text.

When I set auth to NONE it works fine.

When I set auth to AWS_IAM and create the resource based policy within the permissions section of AWS Lambda I set the following:

  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "sid8",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxx:user/xxxxxxxxxx"
      },
      "Action": "lambda:InvokeFunctionUrl",
      "Resource": "arn:aws:lambda:eu-west-1:xxxxxxxxx:function:simpleFunction",
      "Condition": {
        "StringEquals": {
          "lambda:FunctionUrlAuthType": "AWS_IAM"
        }
      }
    }
  ]
} 

On this I get a forbidden error.

Every demo / example on the internet uses NONE for auth.

I have also tried adding the lambda:InvokeFunctionUrl to the IAM policy of the user for the specified resource but still getting a forbidden error.

Am I missing something or does this aspect of the new function not work?

Answer 1

The problem is that when you are using IAM_AUTH you're required to sign your requests with SigV4. Essentially, this is identical to using API Gateway with IAM_AUTH type.

There are multiple ways of signing requests you can even use botocore functionality to do so. The easiest would be to use awscurl or postman, also check this doco that confirms this requirement https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html