CloudFront KeyValueStore does not expose UUID as an output property

[anentropic]

What happened?

To use a KeyValueStore from within a CloudFront Function you have to instantiate the store by id

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-get-reference.html

e.g.

import cf from 'cloudfront';
​
const kvsHandle = cf.kvs(kvsId);

Example

(Pulumi python code)

auth_store = aws.cloudfront.KeyValueStore("auth_store")

auth_func = aws.cloudfront.Function(
    "authenticator",
    code=auth_store.id.apply(
        lambda kvs_id:
        """
import cf from 'cloudfront';

const authStore = cf.kvs("%s");

function b64decode(str) {
    return Buffer.from(str, 'base64').toString()
}

async function handler(event) {
    const authHeader = event.request.headers.authorization;
    if (authHeader) {
        const credentials = b64decode(authHeader.value.substring(6)).split(':');
        const expected_password = await authStore.get(credentials[0]);
        if (credentials[1] === expected_password) {
            return event.request;
        }
    }
    return {
        statusCode: 401,
        statusDescription: 'Unauthorized',
        headers: {
            'www-authenticate': {
                value: 'Basic realm="Enter credentials to view the site."',
            },
        },
    }
}
        """ % kvs_id,
    ),
    runtime="cloudfront-js-2.0",
    key_value_store_associations=[auth_store.arn],
)

However when I check the content of the deployed function in AWS console I see:

import cf from 'cloudfront';

const authStore = cf.kvs("auth_store-dbd9956");
...

This is the name of the KV Store rather than its id:

Attempting to use this function results in Error: KVSNamespaceNotFound

Output of pulumi about

CLI
Version      3.115.2
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME           VERSION
resource  aws            6.33.1
resource  cloudflare     5.27.0
language  python         unknown
resource  synced-folder  0.11.1

Host
OS       darwin
Version  14.4.1
Arch     arm64

Additional context

It looks like for now I have to parse the ARN to get the id

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[anentropic]

trying to use this https://www.pulumi.com/registry/packages/aws/api-docs/getarn/

with auth_store.arn.apply(lambda kvs_arn: ...)

aws.get_arn(kvs_arn).id seems to return the full ARN (the docs don't say what to expect, I guess this a Pulumi auto id and not part of the ARN)

aws.get_arn(kvs_arn).resource returns key-value-store/15ef662a-7994-4b31-a20f-ab262a535e14

looks like I'm better off with naïve string splitting and grab the last segment

[anentropic]

got there in the end with kvs_arn.split("/")[-1]

[anentropic]

aws.get_arn(kvs_arn).id seems to return the full ARN (the docs don't say what to expect, I guess this a Pulumi auto id and not part of the ARN)

I guess this may be the root of my issue with the KeyValueStore itself... I was expecting .id to return the AWS id, but this is a Pulumi id (?)

so the problem is that I need to get the AWS id (these docs call it the UUID) but that is not exposed as a property currently

[flostadler]

Thanks for reaching out @anentropic! You're correct that the id output property refers to the Pulumi ID, i.e. the provider assigned unique ID of the resource (see AWS Provider Docs).

As you've noticed, there's no output property for the UUID of the KVS right now and the workaround is to get the last part of the ARN. Adding to your python example, this is how you'd do it in typescript in case others find this issue: kvs_arn.split("/").pop()

[flostadler]

@anentropic I changed the title to capture the usability problem around the KeyValueStore missing the UUID output property. If others come across this issue, please upvote it to help us prioritize improving this.