5

Following this article, I'm trying to serve my static content from multiple regions (under the same domain) within AWS.

So far, I have:

  • uploaded my content into an S3 bucket
  • enabled the "static web hosting" for that bucket
  • and made it public
  • created a distribution in CloudFront with the S3 bucket as the origin
  • created a record set in Route 53 pointing to the distribution

At this point, everything works fine. If I enter the domain name in a browser, I can see the static content. Now it's time to make it multi-regional:

  • create a lambda function as instructed in the article with a role holding the AdministratorAccess policy (out of desperation - once I make it work, I'll carefully design the proper role)
  • linked the lambda function to CloudFront: Event type: origin-request, Include body: No, Path pattern: *
  • edited the CloudFront distribution, adding the header X-DNS-ORIGIN

After applying these steps, I had to wait a minute before they were effective. And once they were effective, I couldn't open the web page anymore. Doing so will lead to this error message:

503 ERROR
The request could not be satisfied.
The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions. 
If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance. 
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by following steps in the CloudFront documentation (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.html). 
Generated by cloudfront (CloudFront)

I even enabled CloudFront's logging mechanism. But it was no help either. The logs only show that there was a LambdaExecutionError. But it doesn't say anything useful.

I believe that the lambda function is not called at all since I don't see any logs generated for it in CloudWatch. At this point, I have no idea how can I fix this problem. Any help is appreciated.

[EDIT]

I forgot to mention. The role assigned to the lambda function has the lambda.amazonaws.com and edgelambda.amazonaws.com listed as services in its Trust relationship tab.

Mehran
  • 15,593
  • 27
  • 122
  • 221
  • 1
    [*"You must create an IAM role that can be assumed by the service principals `lambda.amazonaws.com` and `edgelambda.amazonaws.com`."*](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html) Check the trust relationship of the role you created. – Michael - sqlbot Jan 08 '19 at 01:02
  • @Michael-sqlbot Unless I'm doing it wrong, that is already done. I'd forgot to mention it in the post. Thanks. – Mehran Jan 08 '19 at 01:18

1 Answers1

17

It has been several months, but in case someone else runs across this same issue as I did. This article has been helpful: https://hackernoon.com/postcards-from-lambda-the-edge-11a43f215dc1

When your code runs at The Edge, the logging happens in the CloudWatch region of that edge server. The logs might not be where you think they will be.

To find your logs, look for them in the region of the edge server. In my case, CloudWatch > Log Groups > /aws/lambda/us-east-1.lambdafunctionname

cfretty
  • 171
  • 1
  • 3
  • 1
    This was my issue. In the web-based AWS Console, you have to look at the toolbar at the top, and specifically switch the Region you are in to the one closest to wherever your request was made from (NOT the one the lambda function was created in!) and the logs will be located there. – EliteMasterEric Jun 21 '20 at 07:00
  • Thank you, thank you thank you!! Second to this, if you change region make sure you're in the log groups home section and not trying to access a specific name, that was my problem, I though it didn't exist but I had to go to log groups in the sidebar and then find it – woolm110 Nov 16 '22 at 23:22