(aws-cloudfront-origins): FunctionUrlOrigin.withOriginAccessControl does not work cross region

[vespertilian]

Describe the bug

Assuming you have multiple lamba urls in different regions /us /au /eu etc .

  this.distribution.addBehavior(
      // needs to be /us* (not /us/*) to match /us and /us/foo
      `/${mappedRegion}*`,
      FunctionUrlOrigin.withOriginAccessControl(lambdaStack.functionUrl), // this does not work cross region 
      {
        allowedMethods: AllowedMethods.ALLOW_ALL,
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
        compress: false,
        originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
        cachePolicy: CachePolicy.CACHING_DISABLED,
      }

Cloudformation will error when the functionUrl is from a stack in a different region.
However you can manually set the Lambda url with origin access control.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

CDK should correctly create FunctionUrlOrigin.withOriginAccessControl as AWS CloudFront supports this

Current Behavior

The CDK will rollback and error

Reproduction Steps

  ... create lambda URL in a separate stack in a different region to where you are deploying cloudfront 
  ... turn on crossRegionReferences

  this.distribution.addBehavior(
      // needs to be /us* (not /us/*) to match /us and /us/foo
      `/${mappedRegion}*`,
      FunctionUrlOrigin.withOriginAccessControl(lambdaStack.functionUrl), // this does not work across region 
      {
        allowedMethods: AllowedMethods.ALLOW_ALL,
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
        compress: false,
        originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
        cachePolicy: CachePolicy.CACHING_DISABLED,
      }

Possible Solution

Work around: manually create OAC and use a http origin

    // create OAC
    this.oac = new CfnOriginAccessControl(
      this,
      this.id('LambdaFunctionUrlOAC'),
      {
        originAccessControlConfig: {
          name: 'LambdaFunctionUrlOAC',
          originAccessControlOriginType: OriginAccessControlOriginType.LAMBDA,
          signingBehavior: SigningBehavior.ALWAYS,
          signingProtocol: SigningProtocol.SIGV4,
          description: 'OAC for Lambda Function URL',
        },
      }
    );

    // cross region import the lambda url 
    // remove https://
    const urlWithoutProtocol = Fn.select(
      1,
      Fn.split('://', lambdaStack.functionUrl)
    );
    const domainName = Fn.select(0, Fn.split('/', urlWithoutProtocol));

    // create http origin 
    const httpOrigin = new HttpOrigin(domainName, {
      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
      originAccessControlId: this.oac.attrId,
    });

    // add to behaviour
    this.distribution.addBehavior(
      // needs to be /us* (not /us/*) to match /us and /us/foo
      `/${mappedRegion}*`,
      httpOrigin,
      {
        allowedMethods: AllowedMethods.ALLOW_ALL,
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
        compress: false,
        originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
        cachePolicy: CachePolicy.CACHING_DISABLED,
      }
    );

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

aws-cdk-lib@2.196.0

AWS CDK CLI version

2.1015.0 (build d50f212)

Node.js Version

22.15.1

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

The CDK will rollback and error

Hi @vespertilian

I am currently trying to reproduce this issue and having this error

9:50:47 AM | CREATE_FAILED | AWS::Lambda::Permission | Distribution/Origi...ionOrigin13368AF93
Resource handler returned message: "Functions from 'us-west-2' are not reachable in this region ('us-east-1') (Service
: Lambda, Status Code: 404, Request ID: 69d05fe8-ed31-4aee-8e7b-2aa8950ca17c) (SDK Attempt Count: 1)" (RequestToken: a
d7599e0-c85e-275d-e71a-a0418ce7dcff, HandlerErrorCode: NotFound)

Is this exactly the same error in your case?

[vespertilian]

@pahud Yeah it fails to deploy and ends up in a rolledback state

...tack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Functions from 'ap-southeast-2' are not reachable in this region ('us-east-1') (Service: Lambda, Status Code: 404, Request ID: 02b6cf17-e969-4ce3-808b-51afb254f9ad) (SDK Attempt Count: 1)" (RequestToken: 7efa2133-d83a-a76c-3017-d0e281f65523, HandlerErrorCode: NotFound)

In this rollback case, I was trying to convert the Lambda URL into one that used IAM. It was an existing stack.

[pahud]

OK @vespertilian let me elaborate on this issue.

Issue Diagram

flowchart TD
    subgraph "us-east-1"
        A[CloudFront Distribution]
        B[Lambda Function A]
        C[CfnPermission A]
        A --> B
        C -->|"✓ Works: Same Region"| B
    end
    
    subgraph "ap-southeast-2"
        D[Lambda Function B]
        E[CfnPermission B]
        A -->|"✗ Fails: Cross-Region Permission"| D
        E -->|"✓ Should be created here"| D
    end

Loading

The issue lies in the fact that when using FunctionUrlOrigin with OAC, the CDK automatically creates the Lambda permissions using CfnPermission. However, when the function is in a different region from the stack where CloudFront is being created, this permission creation fails because CloudFormation can't create resources across regions.

CDK has several potential options to improve this:

1. 1. Early Detection & Error:

// In FunctionUrlOriginWithOAC class
if (Token.isUnresolved(this.functionUrl.functionArn) || 
    this.functionUrl.functionArn.includes(Stack.of(scope).region)) {
  // Same region - proceed as normal
} else {
  throw new Error(
    'Cross-region Lambda Function URLs are not supported by FunctionUrlOrigin.withOriginAccessControl(). ' +
    'For cross-region scenarios, please create the OAC manually and use HttpOrigin. ' +
    'See: https://github.com/aws/aws-cdk/issues/34536'
  );
}

2. Split Permission Creation:

interface FunctionUrlOriginWithOACProps {
  // ...existing props
  createPermissions?: boolean; // Allow opting out of permission creation
}

3. Best Solution - Grant Pattern:

// New method on FunctionUrl class
grantInvokeFromCloudFront(distribution: IDistribution): Grant {
  // Create permission in the function's stack
  return Grant.addToPrincipal({
    grantee: distribution,
    actions: ['lambda:InvokeFunctionUrl'],
    resourceArns: [this.functionArn],
    scope: this,
  });
}

// Usage
const fn = new lambda.Function(stackInRegionB, ...);
const fnUrl = fn.addFunctionUrl();
fnUrl.grantInvokeFromCloudFront(distribution);

The third approach is most aligned with CDK's patterns, as it:

1. Makes the cross-region relationship explicit
2. Creates resources in the correct stack/region
3. Follows established grant patterns like bucket.grantRead()
4. Gives users control over permission management

I hope this clarifies the issue. We welcome PRs and I think option 3 would be a great option for PR here.

[aemada-aws]

potential duplicate of #31462