Skip to content

fix(aws): add InvokeFunction permission for public Function URLs #6358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bruno-espino wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix(aws): add InvokeFunction permission for public Function URLs #6358

bruno-espino wants to merge 1 commit into from
+21 −0

Conversation

@bruno-espino
Copy link

@bruno-espino bruno-espino commented Jan 26, 2026

Fixes #6198

What this PR changes

  • When sst.aws.Function is configured with url.authorization: "none", SST now adds an explicit resource-based permission:
    • action: "lambda:InvokeFunction"
    • principal: "*"
    • function: <function name>

This matches the AWS console guidance for public Function URLs and fixes existing stacks without requiring a manual policy edit.

Notes / follow-ups

  • The AWS console scopes the InvokeFunction statement with lambda:InvokedViaFunctionUrl=true.
  • This PR adds the minimal required permission via aws.lambda.Permission and includes an inline comment to remove it after we migrate to @pulumi/aws v7 (where Lambda/provider behavior matches the current
    console policy).

Repro

new sst.aws.Function("Api", {
  handler: "src/lambda.handler",
  url: { authorization: "none" },
});

Deploy and hit the function URL; before this change you'll get 403

@jakehewitt
Copy link

jakehewitt commented Jan 30, 2026

Tested this PR and verified it works

jakehewitt
jakehewitt reviewed Jan 30, 2026
View reviewed changes
platform/src/components/aws/function.ts
Comment on lines +2518 to +2519
// deployments). This can be removed after migrating to @pulumi/aws v7
// (where Lambda/provider behavior matches the current AWS console policy).
Copy link

@jakehewitt jakehewitt Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might not have tested this correctly but I don't think upgrading to @pulumi/aws v7 fixes this automatically. I tested by cloning #6259 and upgrading from v7.12.0 → v7.16.0 (which includes terraform-provider-aws v6.28.0 where hashicorp/terraform-provider-aws#44829 was resolved), but the issue persisted without these changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jakehewitt jakehewitt jakehewitt left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Lambda Function URL Permissions not AWS-compliant

2 participants

@bruno-espino @jakehewitt