Restrictions on CloudFront Functions - Amazon CloudFront

Restrictions on CloudFront Functions

The following restrictions apply only to CloudFront Functions.

For information about quotas (formerly referred to as limits), see Quotas on CloudFront Functions.

Logs

Function logs in CloudFront Functions are truncated at 10 KB.

Request body

CloudFront Functions can't access the body of the HTTP request.

Using temporary credentials with the CloudFront KeyValueStore API

You can use AWS Security Token Service (AWS STS) to generate temporary security credentials (also known as session tokens). Session tokens allow you to temporarily assume an AWS Identity and Access Management (IAM) role so that you can access AWS services.

To call the CloudFront KeyValueStore API, use a Regional endpoint in AWS STS to return a version 2 session token. If you use the global endpoint for AWS STS (sts.amazonaws.com), AWS STS will generate a version 1 session token, which isn't supported by Signature Version 4A (SigV4A). As a result, you will receive an authentication error.

To call the CloudFront KeyValueStore API, you can use the following options:

AWS CLI and AWS SDKs

You can configure the AWS CLI or an AWS SDK to use Regional AWS STS endpoints. For more information, see AWS STS Regionalized endpoints in the AWS SDK and Tools Reference Guide.

For more information about available AWS STS endpoints, see Regions and endpoints in the IAM User Guide.

SAML

You can configure SAML to use Regional AWS STS endpoints. For more information, see the How to use regional SAML endpoints for failover blog post.

SetSecurityTokenServicePreferences API

Instead of using a Regional AWS STS endpoint, you can configure the global endpoint for AWS STS to return version 2 session tokens. To do so, use the SetSecurityTokenServicePreferences API operation to configure your AWS account.

Example: IAM CLI command
aws iam set-security-token-service-preferences --global-endpoint-token-version v2Token
Tip

We recommend that you use the AWS STS Regional endpoints instead of this option. Regional endpoints provide higher availability and failover scenarios.

Custom identity provider

If you're using a custom identity provider that does the federation and assumes the role, use one of the previous options for the parent identity provider system that is responsible for generating the session token.

Runtime

The CloudFront Functions runtime environment doesn't support dynamic code evaluation, and it restricts access to the network, file system, environment variables, and timers. For more information, see Restricted features.

Note

To use CloudFront KeyValueStore, your CloudFront function must use JavaScript runtime 2.0.

Compute utilization

CloudFront Functions have a limit on the time they can take to run, measured as compute utilization. Compute utilization is a number between 0 and 100 that indicates the amount of time that the function took to run as a percentage of the maximum allowed time. For example, a compute utilization of 35 means that the function completed in 35% of the maximum allowed time.

When you test a function, you can see the compute utilization value in the output of the test event. For production functions, you can view the compute utilization metric on the Monitoring page in the CloudFront console, or in CloudWatch.