CloudFront supports OAC for Lambda, except it does not

I've just been bitten by a "supported but not supported" feature from AWS.

CloudFront started supporting access control for Lambda function URLs. They published a news article about how it's going to help everyone securing Lambda functions: https://aws.amazon.com/about-aws/whats-new/2024/04/amazon-cloudfront-oac-lambda-function-url-origins/

What I noticed is that POST requests don't reach the function, only GET and HEAD. I then went with the usual suspects: what's the path pattern, are all HTTP verbs enabled, is the correct OAC added to the origin, is the Lambda permission added to the function, and so on. Everything checked out.

Then I found this article that describes the same problem I faced: https://arpadt.com/articles/function-url-oac

But when I attempted a POST request, it failed with the following error message

Then, of course, the documentation mentions this: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html

If you use PUT or POST methods with your Lambda function URL, your user must provide a signed payload to CloudFront. Lambda doesn't support unsigned payloads.

That's business-speak for: request body is not supported.

That's a bummer. Have a Lambda function to provide an API behind CloudFront? OAC is not a solution then as you'll need POST requests with a request body sooner rather than later.

To be honest, after this I don't see any real-life use-case for Lambda OACs. So going back to the secret header.

Originally published on Linkedin.