Attach cross account Lambda to CloudFront - amazon-cloudfront

I am trying to attach a Lambda function in another AWS account to the CloudFront on the Origin response but I get below error.
The CloudFront distribution under account <lambda_account> cannot be associated with a Lambda function under a different account: <cloudfront_account>. Function: arn:aws:lambda:us-east-1:<lambda_account>:function:test_edge_lambda:1
Is there any work around to achieve this?

Related

Terraform cloudfront permission to assign Lambda#edge

I have come accross this issue while trying to create a cloudfront distribution that uses a lambda#edge for cognito login.
I create the aws_cloudfront_distribution resource with the lambda configured, as expected the lambda gets created first so the cloudfront module can use the lambda ARN.
now for the issue im facing.
Terraform throws an error saying the aws cloudfront principal does not have the lambda permission to "get lambda" which is correct.
I decided to copy a module I have from another project but the aws_lambda_permission resource needs the arn from cloudfront distribution for the "source_arn".
So far im stuck with in the loop --> cloudfront needs the lamda_permission to assing the function.. and the lamda_permission needs the cloudfront arn to be created.
How can I go around this issue??
Is there another way of doing it??
If code is needed I can upload it
Tried hardcoding values that are not defined by aws

AWS Lambda (NodeJS) > AWS Neptune = 403

Currently attempting to connect to Neptune via NodeJS Lambda.
The code works to the point of getUrlAndHeaders in both libraries and I am getting response back and a connection is created, however, on attempt to insert/select, I get the 403.
There is a policy attached to the execution role, either "neptune-db:*" or "neptune-db:connect", but neither work.
All the same subnets are being used as a temporary measure
The docs mention Neptune lives in EC2 instances, but not seeing any reference to them
Confirmed that there are policies attached to said execution role for ec2: CreateNetworkInterface,DescribeNetworkInterface,DeleteNetworkInterface
What am I missing? I am working on testing other things in the process, but not gaining any traction.
Documentation:
AWS Neptune - IAM Auth Policy
AWS Neptune - Temp Credentials
Code being used/modeled after:
AWS Lambda Examples
gremlin-aws-sigv4
In Progress:
AWSLambdaVPCAccessExecutionRole - SF
#aws-sdk/client-neptune - NPM

AWS Lambda behind VPC times out when communicating with S3 even with endpoint

I have a lambda behind a VPC. When I try to get an S3 object, I get a "connect ETIMEDOUT" error. I set up an Endpoint and still have this problem.
I'm able to get the object if I remove the VPC so I know the VPC is the issue and not permissions.
I had already set up an Internet Gateway to communicate with the outside world (and I've confirmed that that works). Following Stack Overflow and these instructions(https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/), I created an Endpoint to Service "com.amazonaws.us-east-1.s3" with "Full Access" and associated it with the Route Table I had created to get outside-world access.
Screenshot of VPC Gateway Endpoint created
The VPC, the lambda and the S3 are all in the same region. (Lambda and S3 are created via SAM.)
I initially had default AWS and S3 objects. I've tried setting the region for both with no luck.
AWS.config.update({ region: 'us-east-1'});
const s3 = new AWS.S3({ region: 'us-east-1' });
const s3FileParams = {
Bucket: srcBucket,
Key: srcKey,
};
const resp = await s3.getObject(s3FileParams).promise();
I also tried explicitly setting the s3 endpoint as s3 = new AWS.S3({ endpoint: 'https://s3.us-east-1.amazonaws.com' });
Let me know any other information I can provide and thanks in advance.
Requirements for using an S3 Gateway Endpoint:
Ensure that the endpoint policy allows the appropriate access to S3. This is required in addition to the Lambda's IAM permissions.
Add an entry to the route table(s) used by any subnets needing to use the gateway.
Ensure that the Lambda's security group allows outgoing HTTPS traffic to either the internet (0.0.0.0/0) or to the prefix list ID (pl-xxxxxxx) for S3 in your region.
You must enable DNS resolution in your VPC. Enable the enableDnsHostnames and enableDnsSupport attributes on the VPC.
The S3 buckets being accessed must be in the same region as the VPC.
The answer was item 3 in Greg's list above. I switched to a new security group that (for now) allowed all traffic to anything in the outbound rules and that solved my problem.
(Now that I know there's a path forward, I can experiment with better outbound rules.)
Thanks to all! (And to the original folk who posted about VPC endpoints in other questions.)

Is it possible to create stack in my AWS account and resources like (ec2, vpc, rds) created in client AWS account?

I have written an AWS Lambda nodejs function for creating a stack in CloudFormation, using CloudFormation template and given input parameters from UI.
When I run my Lambda function with respected inputs, a stack is successfully creating and instances like (ec2, rds, and vpc, etc.) are also created and working perfectly.
Now I want to make this function as public and use this function with user AWS credentials.
So public user uses my function with his AWS credentials those resources should be created in his account and user doesn't want to see my template code.
How can I achieve this?
You can leverage AWS Cloud Development Kit better, than directly using CloudFormation for this purpose. Although CDK may not be directly used within Lambda, a workaround is mentioned here.
AWS CloudFormation will create resources in the AWS Account that is associated with the credentials used to create the stack.
The person who creates the stack will need to provide (upload) a template file or they can reference a template that is stored in Amazon S3, which is accessible to their credentials (meaning that it is either public, or their credentials have been given permission to access the template in S3).

Retrieve a file from browser using API gateway, AWS LAMBDA and S3

The setup is using S3 as a storage, API gateway for the rest endpoint and Lambda (Python) for get/fetch of file in S3.
I'm using Boto3 for the Lambda function (Python) to check if the file exists in S3, and I was able to download it but being stored in Lambda machine ("/tmp"). The API Gateway can trigger the lambda function already. Is there a way that once the lambda function is triggered then the download will happen in the browser?
Thanks!
Here is how we did it:
Check and Redirect:
API Gateway --> Lambda (return 302)
Deliver Content:
CloudFront --> S3
Check for S3 existence with Lambda returning a 302 to cloudfront. You can also return Signed URL from Lambda with a valid time to access the URL from CloudFront.
Hope it helps.

Resources