Lambda@Edge -> CloudFront Function for Lambda Function URL IAM_AUTH Signing?

[bestickley]

Lambda@Edge is currently used to sign CloudFront requests before they reach Lambda Function URL which has IAM_AUTH enabled which requires the signing. I'd like to move from Lambda@Edge to CloudFront Functions.

Why? Because Lambda@Edge has higher latency than CloudFront Functions (138ms vs 455ms p99, see here) and Lambda@Edge is annoying to use with cdk destroy because it takes a long time to delete so stack deletion fails.

Issue: in order to sign POST requests, you must include the request body in the signature, but CloudFront functions don't allow you to access the body :( . To get around this, we could ask users to patch fetch in the browser to always include a x-amz-content-sha256 hash which is trivial. This library could even provide the patch function although it's trivial to implement.

Is asking users to patch fetch in their Next.js apps a big deal?

[bestickley]

Another point: CloudFront Lambda Function URL OAC will sign request for us, but they explicitly don't support signing POST/PUT requests with bodies. So we could have Lambda@Edge conditionally sign body but we still pay latency cost.