Page
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html — section "Using auth type NONE" / the example resource-based policy.
Issue
The current page shows a single resource-policy statement granting lambda:InvokeFunctionUrl to Principal: "*" as the example for AuthType=NONE Function URLs. In practice this is insufficient — unsigned calls to the Function URL return:
HTTP/1.1 403 Forbidden
x-amzn-ErrorType: AccessDeniedException
{"Message":"Forbidden. For troubleshooting Function URL authorization issues, see: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html"}
A second statement granting lambda:InvokeFunction to Principal: "*" (no condition) is also required.
Repro
FN=my-test-function
# Following the current docs example exactly:
aws lambda create-function-url-config \
--function-name $FN --auth-type NONE
aws lambda add-permission \
--function-name $FN \
--statement-id FunctionURLAllowPublicAccess \
--action lambda:InvokeFunctionUrl \
--principal "*" \
--function-url-auth-type NONE
# Unsigned GET → 403 AccessDeniedException, no Lambda invocation visible in CloudWatch:
curl -sv "https://<id>.lambda-url.<region>.on.aws/"The 403 happens at the Function URL authorization layer (no X-Amzn-Trace-Id on the response, no Lambda invocation logged).
Adding the missing statement fixes it immediately:
aws lambda add-permission \
--function-name $FN \
--statement-id FunctionURLAllowPublicAccessInvoke \
--action lambda:InvokeFunction \
--principal "*"After that, the same unsigned curl returns HTTP 200 with X-Amzn-Trace-Id headers — the request reaches the Lambda.
Suggested fix
Update the Using auth type NONE example on urls-auth.html to show both statements, e.g.:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FunctionURLAllowPublicAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:<region>:<account>:function:<function-name>",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "NONE"
}
}
},
{
"Sid": "FunctionURLAllowPublicAccessInvoke",
"Effect": "Allow",
"Principal": "*",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:<region>:<account>:function:<function-name>"
}
]
}Corroborating evidence
The Zappa project (Python serverless deployment tool) discovered the same requirement and fixed it in zappa/Zappa#1393 (merged 2025-11-04). Their core deploys both statements with Principal: "*" whenever function_url_enabled: true is set with authorizer: NONE. The PR description explicitly references this page as the source of the original (incomplete) example.
Function URLs deployed via Zappa work; Function URLs deployed by hand following the current docs example consistently 403 until the second statement is added. That's a strong signal the docs example is incomplete in practice even if it ever worked at one point.
Environment
- Region tested:
ap-northeast-1
- Account type: standard (admin role used for setup; unsigned/SigV4 both tested)
- Affects
BUFFERED invoke mode; haven't tested RESPONSE_STREAM.
Page
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html — section "Using auth type NONE" / the example resource-based policy.
Issue
The current page shows a single resource-policy statement granting
lambda:InvokeFunctionUrltoPrincipal: "*"as the example for AuthType=NONE Function URLs. In practice this is insufficient — unsigned calls to the Function URL return:A second statement granting
lambda:InvokeFunctiontoPrincipal: "*"(no condition) is also required.Repro
The 403 happens at the Function URL authorization layer (no
X-Amzn-Trace-Idon the response, no Lambda invocation logged).Adding the missing statement fixes it immediately:
aws lambda add-permission \ --function-name $FN \ --statement-id FunctionURLAllowPublicAccessInvoke \ --action lambda:InvokeFunction \ --principal "*"After that, the same unsigned
curlreturnsHTTP 200withX-Amzn-Trace-Idheaders — the request reaches the Lambda.Suggested fix
Update the Using auth type NONE example on
urls-auth.htmlto show both statements, e.g.:{ "Version": "2012-10-17", "Statement": [ { "Sid": "FunctionURLAllowPublicAccess", "Effect": "Allow", "Principal": "*", "Action": "lambda:InvokeFunctionUrl", "Resource": "arn:aws:lambda:<region>:<account>:function:<function-name>", "Condition": { "StringEquals": { "lambda:FunctionUrlAuthType": "NONE" } } }, { "Sid": "FunctionURLAllowPublicAccessInvoke", "Effect": "Allow", "Principal": "*", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:<region>:<account>:function:<function-name>" } ] }Corroborating evidence
The Zappa project (Python serverless deployment tool) discovered the same requirement and fixed it in zappa/Zappa#1393 (merged 2025-11-04). Their core deploys both statements with
Principal: "*"wheneverfunction_url_enabled: trueis set withauthorizer: NONE. The PR description explicitly references this page as the source of the original (incomplete) example.Function URLs deployed via Zappa work; Function URLs deployed by hand following the current docs example consistently 403 until the second statement is added. That's a strong signal the docs example is incomplete in practice even if it ever worked at one point.
Environment
ap-northeast-1BUFFEREDinvoke mode; haven't testedRESPONSE_STREAM.