Unable to add cloudfront as trigger to lambda function

Question

Hi I've followed this instruction try to resize image with Cloudfront and lambda@edge. When I tried to test the resized image, I keep getting the error message below:

The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions.

So I checked the lambda functions created by cloud formation provided by the article I mentioned in the beginning, and I found there's no trigger in it.

I've tried to set it manually but getting the error message below:

CloudFront events cannot be associated with $LATEST or Alias. Choose Actions to publish a new version of your function, and then retry association.

I followed the instruction in the error message; publish, and add Cloudfront as trigger but it seems there's no way to apply it. It's still running the one without Cloudfront as the trigger.

Is there any way to set Cloudfront as trigger and make this work properly?

In the CloudFront console, what do you see in the Behaviour tab of your distribution? You can update the ARN of the function there to use the latest version (3) of your Lambda. — Laurent Jalbert Simard, May 24 '18 at 15:29
@LaurentJalbertSimard It turns out it's the bucket policy issue. I will paste the answer as reply — Dayo Choul, May 24 '18 at 16:17
Lambda@edge is a steaming POS... Functions are next to impossible to debug and after deploying dozens of edge fns, I've yet to have one _just work_ and it's usually firmly the opposite. I'm currently getting this error. No problems invoking the fn directly. Cloudwatch has **zero** log entries even though it's logging my visits in the metrics..... . . — Cory Mawhorter, Mar 03 '21 at 20:03

score 28 · Answer 1 · answered May 12 '20 at 16:49

For people Googling "The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions":

I got that error and struggled to debug it. It turned out there were some programmatic errors inside my Lambda that I had to resolve. But, how do you debug it if, when hitting Cloudfront you keep getting "The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions". That, and there's nothing inside the Cloudwatch logs.

My Lambda was defined in Cloudformation inside a AWS::Lambda::Function's ZipFile attribute. I ended up going to the Lambda service inside AWS and creating a Lambda test payload corresponding to my Cloudfront event as documented here: Lambda@Edge Event Structure. Then, I could debug the Lambda inside the Lambda console without having to hit Cloudfront or having to navigate to Cloudwatch logs.

score 14 · Answer 2 · edited Aug 12 '20 at 23:29

I see a couple of you guys stating that the root cause of the issue was not a permissions issue and an issue with your code. Which is likely the correct root cause. Cloud front tends to use a 403 error for everything even a basic 404 will show up as a 403 in most cases.

I have also seen some of the comments above stating that you could not find any logs associated with the error in lambda. I think this is most likely because you guys are looking for the logs on us-east-1 and dont live on the east coast of the USA. The logs will be in your local region where they are executed. So choose the region in closest proximity to where you are sitting and you will likely find the log group there.

Reading this 'because you guys are looking for the logs on us-east-1' and it was a slap my forehead moment. This is Cloudfront, the logs will be in the region you are closest to. Great advice Jason. — James Roland, Feb 06 '22 at 05:26

Dayo Choul · Accepted Answer · 2018-05-24T16:59:04.183

9

For other ppl suffering from the poor quality of dev articles from aws blog; I found it's due to the wrong S3 bucket policy. The article says:

ImageBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ImageBucket
      PolicyDocument:
        Statement:
            - Action:
                - s3:GetObject
              Effect: Allow
              Principal: "*"
              Resource: !Sub arn:aws:s3:::${ImageBucket}/*
            - Action:
                - s3:PutObject
              Effect: Allow
              Principal:
                AWS: !GetAtt EdgeLambdaRole.Arn
              Resource: !Sub arn:aws:s3:::${ImageBucket}/*
            - Action:
                - s3:GetObject
              Effect: Allow
              Principal:
                AWS: !GetAtt EdgeLambdaRole.Arn
              Resource: !Sub arn:aws:s3:::${ImageBucket}/*

It turns out you have to grant the permissions to allow other actions besides of GetObject and PutObject, because it needs to create folders in the bucket. Simply the problem is resolved by changing it to s3:*

edited May 24 '18 at 16:59

answered May 24 '18 at 16:23

Dayo Choul

861
2
9
23

I am following the same blog post with some modifications. Thanks for pointing this out, I just got it to work. ;) – Anderson Fernandes Silva Mar 13 '20 at 11:36
I also had to increase the timeout for the resizing function. – Anderson Fernandes Silva Mar 13 '20 at 12:16
How do you resolve this issue in AWS Amplify? – Jimmy.B Jul 09 '21 at 15:16
@Jimmy.B how did you fix it for amplify – rashidnk Jul 13 '21 at 11:12
not yet @rashidnk, i am currently talking with an AWS support regarding with this issue – Jimmy.B Jul 14 '21 at 14:42
Are you getting this error, the lambda functions associated with the cloudfront distribution is invalid or does not have required permission ? – rashidnk Jul 15 '21 at 08:10

score 7 · Answer 4 · answered Feb 11 '19 at 17:42

7

For me, the missing cloud front trigger on the lambda screen was because I was not in us-east-1 region

answered Feb 11 '19 at 17:42

Philip

579
3
8
19

I had the same issue and I wouldn't figure out in a million years that this could be the cause. Thanks a ton. – artemisian Mar 15 '19 at 15:25

score 3 · Answer 5 · answered Aug 10 '20 at 07:39

I ran into the same error message with no log in CloudWatch. I finally noticed that my Python runtime handler was index.handler while my index.py defined lambda_handler. After changing my Python runtime handler to index.lambda_handler, the error went away. HTH.

score 2 · Answer 6 · answered Mar 07 '19 at 16:58

If you found this answer googling "The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions", this can be caused if your function is not wired correctly from cloudformation. For example given yaml:

Code: ./src/ # or CodeUri ./src/
Handler: foo.bar

Double check that ./src/foo.js has exports.bar = function...

score 1 · Answer 7 · answered Sep 28 '22 at 17:11

1

When I changed "Include body" in Lambda Function Trigger from "Yes" to "No" it started working.

I had to delete and create CloudFront trigger again to change that setting.

answered Sep 28 '22 at 17:11

Daniel Kmak

18,164
7
66
89

score 0 · Answer 8 · answered Nov 11 '22 at 09:39

just reading an article from here.

If you create a lambda in one region and use it with cloudfront (and later be requested by user in other edge-region), the issue is due to lambda does not have enough cloudwatch log permission.

Check this, all credits go to author.

https://dev.to/aws-builders/authorizing-requests-with-lambdaedge-mjm

Unable to add cloudfront as trigger to lambda function

8 Answers8