Lambda aliases and CloudFront: The function ARN must reference a specific function version

Question

I have a Lambda that is working as a CloudFront Origin Request handler when referenced using an ARN that contains the version (e.g. ...:function:MyFunction:123). I've created a PROD alias to version 123 which I would like to use instead.

Using the ...:function:MyFunction:PROD ARN yields the following error

com.amazonaws.services.cloudfront.model.InvalidLambdaFunctionAssociationException:
The function ARN must reference a specific function version. (The ARN
must end with the version number.) ARN: 
...:function:MyFunction:PROD (Service: AmazonCloudFront; Status Code:
400; Error Code: InvalidLambdaFunctionAssociation; Request ID:
d407f350-bc7f-11e9-8498-e7f23762c03e)

Removing the version entirely (i.e. ...:function:MyFunction) which according to the docs should hit latest, using $LATEST or LATEST for the version all fail with the same error.

The documentation that I've found all suggests that this should just work, so I'm not sure what I could have screwed up here. Might it be a problem with permissions on the IAM role I created?

Answer 1

I have to apologize in advance for writing the answer that you were probably not hoping for, but according to AWS, it is unfortunately not currently possible to have CloudFront point to $LATEST or a specific alias of a function when using Labmda@Edge.

According to the official AWS documentation (found under LambdaFunctionARN on https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_LambdaFunctionAssociation.html):

You must specify the ARN of a function version; you can't specify a Lambda alias or $LATEST.

In case the following is an option for you and can also suit your needs, what we usually do at the company I'm a part of (not only the reason discussed in the context of this question) is having both the CloudFront distribution and the Lambda function defined under the same CloudFormation stack (in our case, managed using the Serverless framework). That way, deploying a change for a stack serving a specific environment (e.g production) creates a new version of the Lambda function and updates the CloudFront distribution to be associated with it, automatically. Sharing just in case it can hopefully serve as an alternative solution.