Function.FunctionUrlConfig generates incorrect policy for aliased function #2373
Description
Description:
I have created a function that has an alias and URL configuration with the following template:
Transform: AWS::Serverless-2016-10-31
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./bootstrap
Architectures: [arm64]
Runtime: provided.al2
Handler: unused
AutoPublishAlias: live # notice defined alias
FunctionUrlConfig:
AuthType: NONEThis is the template after the serverless transformation. Note that the 7th line is incorrectly referencing the function and not the function's alias.
Resources:
FunctionUrlPublicPermissions:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunctionUrl
FunctionName:
Ref: Function # this should be Ref: FunctionAliaslive
Principal: "*"
FunctionUrlAuthType: NONE
FunctionUrl:
Type: AWS::Lambda::Url
Properties:
TargetFunctionArn:
Ref: FunctionAliaslive
AuthType: NONE
Function:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: stackit-ap-southeast-2-0123465690
S3Key: urlshenanigans/bootstrap.zip/b15b257b4b1d56015ffb6160f1564d2e
S3ObjectVersion: ThuT.NfqNqrs7apqjJT7nb9P4ox8TpiT
Handler: unused
Role:
Fn::GetAtt:
- FunctionRole
- Arn
Runtime: provided.al2
Timeout: 30
Tags:
- Key: lambda:createdBy
Value: SAM
Architectures:
- arm64
FunctionVersionbe0cebe936:
Type: AWS::Lambda::Version
DeletionPolicy: Retain
Properties:
FunctionName:
Ref: Function
FunctionAliaslive:
Type: AWS::Lambda::Alias
Properties:
Name: live
FunctionName:
Ref: Function
FunctionVersion:
Fn::GetAtt:
- FunctionVersionbe0cebe936
- Version
FunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Tags:
- Key: lambda:createdBy
Value: SAM
Observed result:
Accessing the function URL yields a Forbidden error.
Expected result:
Accessing the function URL should be allowed.