Lambda function URLs now require extra permission

[duy9403]

Issue description

Message from AWS Health event:

We are reaching out because AWS Lambda is making changes to the Lambda function URL authorization model to improve the security posture of function URLs. Function URLs allow you to easily configure a dedicated HTTP(S) endpoint for your Lambda function. The new authorization model requires your permissions policies to include both lambda:InvokeFunctionUrl and lambda:InvokeFunction actions [1]. Previously, only lambda:InvokeFunctionUrl permissions were required.

Your account in the Region has previously created a function URL. To avoid potential breaking changes to any function URLs we have granted a temporary exception from this authorization model change.

To prevent potential disruption to your function URLs, we ask that you review your function URLs as well as their permissions policies and update them to align with the new authorization model by November 1, 2026.

[...]

[1] https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html

I believe the relevant code is here. Now the Action needs to have 2 permissions instead of 1.

Context

No response

[czubocha]

Hi @duy9403, thanks for reporting this. We'll address it as soon as possible.

[czubocha]

Hi @duy9403, this has been addressed in v4.23.0.
The Framework now includes the additional lambda:InvokeFunction permission required for Lambda function URLs.

[harmenjanssen]

@czubocha Is there any chance you guys will retroactively push this fix to version 3 as well? 😬