Comments (18)
Hi Jesse. I just updated the code and added a "Version" parameter to the CloudFormation (SAM) template. While developing you can use that to force a new (valid) deployment of Lambda@Edge code. This worked for me, can you check if it also works for your workflow?
You can just put any value in the "Version" parameter; every time you want to redeploy the same stack, use a new version. If CloudFormation detects the version to have another value than during the previous stack deployment, it will update the Lambda@Edge functions. This is a bit of a "trick" to help CloudFormation understand something's changed.
from cloudfront-authorization-at-edge.
To be clear, the versioning was working previously. Each time I changed the HTTP headers, for instance, the lambdas would update and the outputs would show the new version. For some reason, however, after my consuming stack updated the CloudFront behaviors with the new versions the lambdas no longer run. I thought my change was bad, but after reverting it and deploying a new version it was still not working. If I make my changes, drop the stack, and redeploy my changes work fine. I am just trying to avoid having to drop my consuming stack, this stack, and redeploying both every time I need to tweak one of the lambdas. It should be rare, I just don't want it to bite me in the future
Does that make sense?
from cloudfront-authorization-at-edge.
Not following your workflow entirely but I suspect your issue will be solved now by the change I mentioned. Can you maybe try deploying again?
sam deploy --template-file packaged.yaml \
--stack-name your-stack-name \
--capabilities CAPABILITY_IAM \
--parameter-overrides [email protected] Version=$(date +%s) \
--region us-east-1
Note the Version parameter. Which in this example is filled with a timestamp, which makes it different each time, thereby triggering the complete redeployment.
from cloudfront-authorization-at-edge.
"For some reason, however, after my consuming stack updated the CloudFront behaviors with the new versions the lambdas no longer run."
Can you explain a bit more about the consuming stack? How are the stacks related?
from cloudfront-authorization-at-edge.
So I had a pre-existing CFN stack that had CloudFront setup with a simple HTTP BasicAuth Lambda. I am migrating to this solution to see how it all works.
I added this parameter to my stack:
AuthAtEdgeStackName:
Type: String
Description: The name of the AWS SAM stack that includes the lambdas and cognito setup for auth
Default: cloudfront-authorization-at-edge
And here is a sample of how I am consuming the lambdas:
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN:
Fn::ImportValue:
!Sub "${AuthAtEdgeStackName}-CheckAuthHandler"
- EventType: origin-response
LambdaFunctionARN:
Fn::ImportValue:
!Sub "${AuthAtEdgeStackName}-HttpHeadersHandler"
TargetOriginId: s3Origin
ViewerProtocolPolicy: redirect-to-https
I am deleting both stacks now and I will rebase your changes and let you know how it goes. If I run into further issues, I'll pass along more details on error messages, etc.
from cloudfront-authorization-at-edge.
Upon redeploying, I see the same error I was previously seeing, but after the initial deploy.
503 ERROR
The request could not be satisfied.
The Lambda function associated with the CloudFront distribution is invalid or doesn't have the required permissions. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: 5j-PiKXdNHNPgPDNJ46GcmPQvR0qm2jPh7VJH9ImcwnOmAe8o6kgPg==
from cloudfront-authorization-at-edge.
The output shows version 2 for the lambdas arn:aws:lambda:us-east-1:**********:function:cloudfront-authorization-at-edge-ParseAuthHandler-1L6V711M9NOB7:2
from cloudfront-authorization-at-edge.
Manually updating the default behavior lambdas to use version 1 resolves it.
from cloudfront-authorization-at-edge.
It would be great if we can get your scenario to work. Not sure yet what the root cause might be, but 503 may mean the Lambda's are not returning a proper response to CloudFront. Can you take a look at their logs, and check that there's no exceptions being thrown?
The easiest way to find the log (in the right region) is through the CloudFront monitoring dashboard--in case you didn't know.
from cloudfront-authorization-at-edge.
BTW this example might be of interest to you: reuse-auth-only.yaml
from cloudfront-authorization-at-edge.
@ottokruse When I previously looked for debug I didn't see any log streams in CloudWatch nor did I see invocations in the monitoring of the lambdas.
This new example is nice. My only custom needs would be to have the following be a parameter that defaults to true to preserve your original use case on the UserPool
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
As well as an optional parameter for the email domain that gets used in a PreSignUp LambdaConfig for the UserPool with the following lambda in src/cognito/verify-email
exports.handler = (event, context, callback) => {
console.log(event);
// Split the email address so we can compare domains
var address = event.request.userAttributes.email.split("@");
if ( "example.com" === address[1]) {
callback(null, event);
} else {
var error = new Error("Only authorized email addresses may register.");
callback(error, event);
}
};
This would enable a optional parameter set to let users self sign up if they are using an email address with the whitelisted domain. Finally, another optional parameter would be
AutoVerifiedAttributes:
- email
Which would require individuals that sign up to verify their email address after signing up.
from cloudfront-authorization-at-edge.
Uncaught exceptions should be visible in the logs. For example, if the Lambda can't read it's config that would show in the logs. Can you check? And if you wanna be sure that the Lambda's are returning the right response format to CloudFront, maybe add a console.log to show what is returned too.
Thanks for that info on your use case. A solution might also be to be able to provide a user pool id as parameter. That would allow you to use your own user pool, with your custom config. What do you think?
from cloudfront-authorization-at-edge.
This time I just deployed your solution without my stack to a new account. I have the same behavior. After I update the cloudformation stack for the first time (literally a noop, just a version bump) I start getting the 503 errors. The only CloudWatch Log Groups I see are the CFN custom resource handlers.
Manually updating the CloudFront Distro to use version 1 of the lambdas still fixes everything.
from cloudfront-authorization-at-edge.
I will try to reproduce on my side. Can you paste me the exact steps you go through?
from cloudfront-authorization-at-edge.
sam build --use-container
sam package --output-template-file packaged.yaml --s3-bucket example-bucket-name --region us-east-1
sam deploy --template-file packaged.yaml --stack-name cloudfront-authorization-at-edge --capabilities CAPABILITY_IAM --parameter-overrides AlternateDomainNames=example.org CreateCloudFrontDistribution=true Version=$(date +%s) --region us-east-1
Test and it works
sam deploy --template-file packaged.yaml --stack-name cloudfront-authorization-at-edge --capabilities CAPABILITY_IAM --parameter-overrides AlternateDomainNames=example.org CreateCloudFrontDistribution=true Version=$(date +%s) --region us-east-1
Test and it no longer works
from cloudfront-authorization-at-edge.
Hi! I was able to reproduce your issue and find out the cause. There was an issue with the node dependency adm-zip that is used for adding configuration to the Lambda functions. I've changed the way that lib is used, to work around the issue, and redeployments work now.
from cloudfront-authorization-at-edge.
@ottokruse I am sorry for, maybe, stupid question (I just started learning cloudformation and SAM), but I don't understand: why to pass configuration to edge lambdas as a json, requiring wrapper lambda for repackaging, when you could simply pass it using Environment.Variables
property? Thanks in advance for response.
from cloudfront-authorization-at-edge.
No worries. Lambda@Edge doesn't support Env Variables. This is explained in the blog (under heading "Using Lambda@Edge functions")
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.