The Lambda function returned an invalid request or response to CloudFront

Question

I am attempting to follow the instructions here https://medium.com/@tom.cook/edge-lambda-cloudfront-custom-headers-3d134a2c18a2

I have CloudFront successfully sitting in front of a static S3 "hello world" HTML file, and I want to set additional headers using lambda edge, but I get an error. The really frustrating bit is that I cannot find any logs of the error to debug what is going wrong. Here is what the browser shows.

ERROR

The request could not be satisfied.

The Lambda function returned an invalid request or response to CloudFront. 
Generated by cloudfront (CloudFront)
Request ID: 2Cqex7euzH0Iigps58i9tMVxdqAaLznL2ZjwqR1sW1AZHz6x2EwfMA==

Here is the code for my simple lambda:

exports.handler = (event, context, callback) => {
    console.log(event)
    callback(null, 'Hello from Lambda');
};

The trigger type is viewer-response and is attached to my CloudFront distribution (with Cache Behavior: *, if that matters). The lambda has a role corresponding to AWSLambdaBasicExecutionRole, which gives write access to Cloudwatch.

As soon as I enable the trigger, the response to a web request changes from my "Hello world" HTML to the error above, so I know it is triggering the lambda. But in the lambda dashboard, it shows no invocations or errors. No logs appear in Cloudwatch. The CloudFront dashboard shows errors (5xx), but nothing from lambda.

If I then test my function within the lambda console by clicking to the deployed function, configuring the test event as "CloudFront Modify Response Header," and hitting Test, it is successful. And Cloudwatch shows logs and console output for the test! But still nothing in logs for the live invocation.

My only theory is something wrong with the permissions, that CloudFront cannot actually invoke the lambda (explains why there is nothing in the lambda dashboard). The last thing is that the CloudFront logs (in S3) show the web request with the 502 error and LambdaValidationError, but I cannot figure out if that helps.

Answer 1

There are some common "gotchas" to Lambda@Edge and CloudFront. You need to:

• Publish a new version of you Lambda function
• Update the CloudFront Lambda association to your new version, e.g. arn:aws:lambda:us-east-1:572007530218:function:gofaas-WebAuthFunction:45
• Look for Lambda@Edge logs in the region of the requestor

And as far as I know you can not see metrics about invocations from the "copies" of your main Lambda func distributed around to the "edges".

This is different from "normal" Lambda web console flow of saving a code change and jumping to logs from the monitoring tab.

Take a look at this boilerplate app that automates deploying a Lambda@Edge OAuth and Cookie handler, which takes a lot of the pain of setting this up away.