Skip to content

Instantly share code, notes, and snippets.

@zmunk

zmunk/aws-lambda-access-denied.md

Last active January 27, 2026 09:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zmunk/c71167d6e2380dff622df9615c75cca0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zmunk/c71167d6e2380dff622df9615c75cca0 to your computer and use it in GitHub Desktop.
Download ZIP
Getting AccessDenied when querying Lambda URL
Raw
aws-lambda-access-denied.md

Issue

Created a lambda function with cargo-lambda. But when I query the lambda URL, it returns AccessDeniedException.

Setup

cargo install cargo-lambda
cargo lambda new --http example-rust
(
    cd example-rust
    cargo lambda build --release
    cargo lambda deploy --enable-function-url
)

Issue context

Command:

curl -i https://....lambda-url.us-east-1.on.aws/

Response:

HTTP/1.1 403 Forbidden
Date: Tue, 27 Jan 2026 07:50:05 GMT
Content-Type: application/json
Content-Length: 144
Connection: keep-alive
x-amzn-RequestId: db3e46bd-6cb1-415f-9467-9c4d41e173d7
x-amzn-ErrorType: AccessDeniedException

{"Message":"Forbidden. For troubleshooting Function URL authorization issues, see: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html"}%

Lambda function policy:

aws lambda get-policy --function-name example-rust | nu 'from json | get Policy' | jq

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "FunctionURLAllowPublicAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "lambda:InvokeFunctionUrl",
      "Resource": "arn:aws:lambda:us-east-1:...:function:example-rust",
      "Condition": {
        "StringEquals": {
          "lambda:FunctionUrlAuthType": "NONE"
        }
      }
    }
  ]
}

Lambda URL config:

aws lambda get-function-url-config --function-name example-rust

{
    "FunctionUrl": "https://....lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:...:function:example-rust",
    "AuthType": "NONE",
    "CreationTime": "2026-01-27T07:24:58.691844670Z",
    "LastModifiedTime": "2026-01-27T07:24:58.691844670Z",
    "InvokeMode": "BUFFERED"
}

Solution

The function needs two permissions:

  • lambda:InvokeFunctionUrl
  • lambda:InvokeFunction

https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html#urls-auth-none

Add lambda:InvokeFunction:

aws lambda add-permission \
  --function-name example-rust \
  --statement-id FunctionURLInvokeAllowPublicAccess \
  --action lambda:InvokeFunction \
  --principal "*" \
  --invoked-via-function-url

The policy should look like:

aws lambda get-policy --function-name example-rust | nu 'from json | get Policy' | jq

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "FunctionUrlAllowPublicAccess-8158e595-50b9-4773-9bf0-3bb52811e56d",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "lambda:InvokeFunctionUrl",
      "Resource": "arn:aws:lambda:us-east-1:...:function:example-rust",
      "Condition": {
        "StringEquals": {
          "lambda:FunctionUrlAuthType": "NONE"
        }
      }
    },
    {
      "Sid": "FunctionURLInvokeAllowPublicAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:...:function:example-rust",
      "Condition": {
        "Bool": {
          "lambda:InvokedViaFunctionUrl": "true"
        }
      }
    }
  ]
}

Try querying url:

curl https://....lambda-url.us-east-1.on.aws/

Output:

Hello world, this is an AWS Lambda HTTP request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment