-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent Public Access to Nextjs Lambdas #4483
Comments
Note that in SST 2 this can be easily resolved with this arg which works for both lambdas: https://docs.sst.dev/constructs/NextjsSite#regionalenableserverurliamauth |
Thanks! We'll take a look. |
@cgcompassion I just released v0.0.534
For now lemme know if this works for you. We will likely add a convenient prop to enable IAM auth if more ppl ask. |
Amazing, thank you!! |
Okay, this has unblocked the next step. Cloudfront needs to be able to access the lambda. We can do that with OAC. See: #4684 |
@cgcompassion open a new issue? |
When deploying a Nextjs construct with SST 3, it creates 2 lambdas (DefaultFunction and ImageOptimizerFunction) that are "public access" (All Principles). These get flagged by the IAM access analyzer as a security risk. We need a way to tell the construct to prevent this.
I have found that I can do this:
This works, but there are two problems with it:
authorization?: Input<"none" | "iam">;
, however if I pass it "iam" instead of "AWS_IAM", the aws deploy fails with an error like:expected authorization_type to be one of ["NONE" "AWS_IAM"], got IAM.
. The only way I can get it to work is with a//@ts-ignore
directive.The text was updated successfully, but these errors were encountered: