feat(client-lambda): Add InvokedViaFunctionUrl context key to limit invocations to only FURL invokes.

awstools · awstools · commit cf1e3beb2586 · 2025-10-10T18:56:05.000Z
diff --git a/clients/client-lambda/src/commands/AddPermissionCommand.ts b/clients/client-lambda/src/commands/AddPermissionCommand.ts
@@ -49,6 +49,7 @@ export interface AddPermissionCommandOutput extends AddPermissionResponse, __Met
  *   RevisionId: "STRING_VALUE",
  *   PrincipalOrgID: "STRING_VALUE",
  *   FunctionUrlAuthType: "NONE" || "AWS_IAM",
+ *   InvokedViaFunctionUrl: true || false,
  * };
  * const command = new AddPermissionCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-lambda/src/commands/GetProvisionedConcurrencyConfigCommand.ts b/clients/client-lambda/src/commands/GetProvisionedConcurrencyConfigCommand.ts
@@ -84,9 +84,9 @@ export interface GetProvisionedConcurrencyConfigCommandOutput
  * <p>Base exception class for all service exceptions from Lambda service.</p>
  *
  *
- * @example To get a provisioned concurrency configuration
+ * @example To view a provisioned concurrency configuration
  * ```javascript
- * // The following example returns details for the provisioned concurrency configuration for the BLUE alias of the specified function.
+ * // The following example displays details for the provisioned concurrency configuration for the BLUE alias of the specified function.
  * const input = {
  *   FunctionName: "my-function",
  *   Qualifier: "BLUE"
@@ -104,9 +104,9 @@ export interface GetProvisionedConcurrencyConfigCommandOutput
  * *\/
  * ```
  *
- * @example To view a provisioned concurrency configuration
+ * @example To get a provisioned concurrency configuration
  * ```javascript
- * // The following example displays details for the provisioned concurrency configuration for the BLUE alias of the specified function.
+ * // The following example returns details for the provisioned concurrency configuration for the BLUE alias of the specified function.
  * const input = {
  *   FunctionName: "my-function",
  *   Qualifier: "BLUE"
diff --git a/clients/client-lambda/src/models/models_0.ts b/clients/client-lambda/src/models/models_0.ts
@@ -406,6 +406,12 @@ export interface AddPermissionRequest {
    * @public
    */
   FunctionUrlAuthType?: FunctionUrlAuthType | undefined;
+
+  /**
+   * <p>Restricts the <code>lambda:InvokeFunction</code> action to calls coming from a function URL. When set to <code>true</code>, this prevents the principal from invoking the function by any means other than the function URL. For more information, see <a href="https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html">Security and auth model for Lambda function URLs</a>.</p>
+   * @public
+   */
+  InvokedViaFunctionUrl?: boolean | undefined;
 }
 
 /**
@@ -661,7 +667,7 @@ export type CodeSigningPolicy = (typeof CodeSigningPolicy)[keyof typeof CodeSign
  */
 export interface CodeSigningPolicies {
   /**
-   * <p>Code signing configuration policy for deployment validation failure. If you set the policy to <code>Enforce</code>, Lambda blocks the deployment request if signature validation checks fail. If you set the policy to <code>Warn</code>, Lambda allows the deployment and creates a CloudWatch log. </p> <p>Default value: <code>Warn</code> </p>
+   * <p>Code signing configuration policy for deployment validation failure. If you set the policy to <code>Enforce</code>, Lambda blocks the deployment request if signature validation checks fail. If you set the policy to <code>Warn</code>, Lambda allows the deployment and issues a new Amazon CloudWatch metric (<code>SignatureValidationErrors</code>) and also stores the warning in the CloudTrail log.</p> <p>Default value: <code>Warn</code> </p>
    * @public
    */
   UntrustedArtifactOnDeployment?: CodeSigningPolicy | undefined;
diff --git a/clients/client-lambda/src/protocols/Aws_restJson1.ts b/clients/client-lambda/src/protocols/Aws_restJson1.ts
@@ -366,6 +366,7 @@ export const se_AddPermissionCommand = async (
       Action: [],
       EventSourceToken: [],
       FunctionUrlAuthType: [],
+      InvokedViaFunctionUrl: [],
       Principal: [],
       PrincipalOrgID: [],
       RevisionId: [],
diff --git a/codegen/sdk-codegen/aws-models/lambda.json b/codegen/sdk-codegen/aws-models/lambda.json
@@ -1761,6 +1761,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The type of authentication that your function URL uses. Set to <code>AWS_IAM</code> if you want to restrict access to authenticated users only. Set to <code>NONE</code> if you want to bypass IAM authentication to create a public endpoint. For more information, see <a href=\"https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html\">Security and auth model for Lambda function URLs</a>.</p>"
           }
+        },
+        "InvokedViaFunctionUrl": {
+          "target": "com.amazonaws.lambda#InvokedViaFunctionUrl",
+          "traits": {
+            "smithy.api#documentation": "<p>Restricts the <code>lambda:InvokeFunction</code> action to calls coming from a function URL. When set to <code>true</code>, this prevents the principal from invoking the function by any means other than the function URL. For more information, see <a href=\"https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html\">Security and auth model for Lambda function URLs</a>.</p>"
+          }
         }
       },
       "traits": {
@@ -2177,7 +2183,7 @@
         "UntrustedArtifactOnDeployment": {
           "target": "com.amazonaws.lambda#CodeSigningPolicy",
           "traits": {
-            "smithy.api#documentation": "<p>Code signing configuration policy for deployment validation failure. If you set the policy to <code>Enforce</code>, Lambda blocks the deployment request if signature validation checks fail. If you set the policy to <code>Warn</code>, Lambda allows the deployment and creates a CloudWatch log. </p> <p>Default value: <code>Warn</code> </p>"
+            "smithy.api#documentation": "<p>Code signing configuration policy for deployment validation failure. If you set the policy to <code>Enforce</code>, Lambda blocks the deployment request if signature validation checks fail. If you set the policy to <code>Warn</code>, Lambda allows the deployment and issues a new Amazon CloudWatch metric (<code>SignatureValidationErrors</code>) and also stores the warning in the CloudTrail log.</p> <p>Default value: <code>Warn</code> </p>"
           }
         }
       },
@@ -7072,8 +7078,8 @@
         "smithy.api#documentation": "<p>Retrieves the provisioned concurrency configuration for a function's alias or version.</p>",
         "smithy.api#examples": [
           {
-            "title": "To get a provisioned concurrency configuration",
-            "documentation": "The following example returns details for the provisioned concurrency configuration for the BLUE alias of the specified function.",
+            "title": "To view a provisioned concurrency configuration",
+            "documentation": "The following example displays details for the provisioned concurrency configuration for the BLUE alias of the specified function.",
             "input": {
               "FunctionName": "my-function",
               "Qualifier": "BLUE"
@@ -7087,8 +7093,8 @@
             }
           },
           {
-            "title": "To view a provisioned concurrency configuration",
-            "documentation": "The following example displays details for the provisioned concurrency configuration for the BLUE alias of the specified function.",
+            "title": "To get a provisioned concurrency configuration",
+            "documentation": "The following example returns details for the provisioned concurrency configuration for the BLUE alias of the specified function.",
             "input": {
               "FunctionName": "my-function",
               "Qualifier": "BLUE"
@@ -8172,6 +8178,9 @@
         "smithy.api#streaming": {}
       }
     },
+    "com.amazonaws.lambda#InvokedViaFunctionUrl": {
+      "type": "boolean"
+    },
     "com.amazonaws.lambda#KMSAccessDeniedException": {
       "type": "structure",
       "members": {
