How to grant EdgeFunction permission to S3 bucket (cross-region)

[aprat84]

I'm creating some infrastructure in eu-west-1 region, and EdgeFunction creates the Lambda's in us-east-1 region.

Everything works like a charm, except when I try to grant the function read and write access to the bucket, it crashes with this error and don't know what to do:

Error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'cdn/Bucket' in a cross-environment fashion, the resource's physical name must be explicit set or use `PhysicalName.GENERATE_IF_NEEDED`.
Object creation stack:
  at stack traces disabled.
Object creation stack:
  at stack traces disabled..
    at Bucket._enableCrossEnvironment (node_modules/aws-cdk-lib/core/lib/resource.js:1:2296)
    at Object.produce (node_modules/aws-cdk-lib/core/lib/resource.js:1:3962)
    at Reference.resolve (node_modules/aws-cdk-lib/core/lib/resource.js:1:4408)
    at RememberingTokenResolver.resolveToken (node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1238)
    at RememberingTokenResolver.resolveToken (node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:3924)
    at resolve (node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2510)
    at Object.resolve [as mapToken] (node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:892)
    at TokenizedStringFragments.mapTokens (node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1365)
    at RememberingTokenResolver.resolveString (node_modules/aws-cdk-lib/core/lib/resolvable.js:4:358)
    at RememberingTokenResolver.resolveString (node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:4000)

My stack (simplified) looks like this:

export class CdnStack extends cdk.Stack {
    public readonly bucket: s3.Bucket;

    constructor(scope: Construct, id: string, props: CdnStackProps) {
        super(scope, id, props);

        this.bucket = new s3.Bucket(this, 'Bucket', {
            accessControl: s3.BucketAccessControl.PRIVATE,
            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
            encryption: s3.BucketEncryption.S3_MANAGED,
            enforceSSL: true,
            objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
            removalPolicy: cdk.RemovalPolicy.RETAIN,
            versioned: true,
        });

        const originResponseFunction = new cloudfront.experimental.EdgeFunction(this, 'OriginResponseFunction', {
            runtime: lambda.Runtime.NODEJS_18_X,
            architecture: lambda.Architecture.X86_64,
            ephemeralStorageSize: cdk.Size.mebibytes(512),
            logRetention: logs.RetentionDays.THREE_YEARS,
            memorySize: 2048,
            timeout: cdk.Duration.seconds(15),
            handler: 'index.handler',
            code: lambda.Code.fromAsset('path/to/code'),
        });

        this.bucket.grantReadWrite(originResponseFunction);

        new cloudfront.Distribution(this, 'Distribution', {
            domainNames: ['cdn.example.com'],
            httpVersion: cloudfront.HttpVersion.HTTP2_AND_3,
            priceClass: cloudfront.PriceClass.PRICE_CLASS_100,
            defaultBehavior: {
                origin: new origins.S3Origin(this.bucket),
                allowedMethods: cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
                viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.HTTPS_ONLY,
                compress: true,
                edgeLambdas: [{
                    functionVersion: originResponseFunction.currentVersion,
                    eventType: cloudfront.LambdaEdgeEventType.ORIGIN_RESPONSE,
                    includeBody: false,
                }],
            },
        });
    }
}

[aprat84]

Looks like it works this way, but it is a little verbose...

this.bucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ['s3:GetObject', 's3:PutObject'],
    principals: [new iam.ArnPrincipal(originResponseFunction.edgeArn)],
}));

Wrong! It "works" at compile and diff, but crashes on deploy:

Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy)

[aprat84]

Another possible solution would be to manually create the Lambda role:

const lambdaRole = new iam.Role(this, 'LambdaExecutionRole', {
    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
    managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
});

this.bucket.grantReadWrite(lambdaRole);

Wrong! It crashed as it complains of circular dependency between stacks...

Error: 'cdn' depends on 'edge-lambda-stack' ({cdn}.addDependency({edge-lambda-stack})). Adding this dependency ({edge-lambda-stack/OriginResponseFunction/Resource}.addDependency({cdn/LambdaExecutionRole/Resource})) would create a cyclic reference.

I'm running out of ideas...

[lukasrandom]

Are there any updates to this?
We have the very similar issue in our project and could not find a solution since a week.

In general we want to deploy a lambda@edge (us-east-1) which gets read access to an encrypted S3 bucket in another region (like eu-west-2).
Sadly we did not manage to grant the lambdas principal access to the bucket in any way.

The simples code example we tried is posted below:

Error:

Error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'MyStack/MyBucket' in a cross-environment fashion, the resource's physical name must be explicit set or use PhysicalName.GENERATE_IF_NEEDED.

Synth and deploy command

npx cdk synth --all --app "ts-node main.ts"

npx cdk deploy --all --app "ts-node main.ts"

Code Example:

import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
import { experimental } from 'aws-cdk-lib/aws-cloudfront';
import { Key } from 'aws-cdk-lib/aws-kms';
import { Architecture, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
import {
    BlockPublicAccess,
    Bucket,
    BucketEncryption,
    ObjectOwnership
} from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';

class MyStack extends Stack {
    constructor(scope: Construct, id: string, props: StackProps) {
        super(scope, id, props);

        const myEdgeFunction = new experimental.EdgeFunction(
            this,
            'myEdgeFunction',
            {
                runtime: Runtime.NODEJS_20_X,
                architecture: Architecture.X86_64,
                handler: 'index.handler',
                code: Code.fromInline(`
                exports.handler = async () => {
                    return {
                        statusCode: 200,
                        body: JSON.stringify({ message: "Version: 1" })
                    };
                };
            `)
            }
        );

        const myKey = new Key(this, 'myKey', {
            enableKeyRotation: true,
            multiRegion: true
        });

        const myBucket = new Bucket(this, 'MyBucket', {
            removalPolicy: RemovalPolicy.DESTROY,
            blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
            versioned: true,
            objectOwnership: ObjectOwnership.BUCKET_OWNER_PREFERRED,
            encryptionKey: myKey,
            encryption: BucketEncryption.KMS,
            autoDeleteObjects: true
        });

        myBucket.grantRead(myEdgeFunction);
    }
}

const app = new App();
const myStack: MyStack = new MyStack(app, 'MyStack', {
    env: { account: '11111', region: 'eu-west-2' }, // region other than us-east-1
    crossRegionReferences: true
});

[aprat84]

The only solution I found is to let CDK generate the bucket name rather than CloudFormation, so this way it can be referenced cross-environment (account/region), I think...

import * as cdk from 'aws-cdk-lib';

this.bucket = new s3.Bucket(this, 'Bucket', {
    bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
    // ...
});