I am trying to create listener rule in alb using aws cli commands or python boto3 but it is giving the below error
Unknown parameter in Actions[0]: "RedirectConfig", must be one of: Type, TargetGroupArn, AuthenticateOidcConfig, AuthenticateCognitoConfig, Order

i am using the latest version of boto3
boto3 python code:

                       ListenerArn=listener.get('ListenerArn'),
                       Conditions=[
                           {
                               'Field': 'host-header',
                               'Values': [PARSED_ARGS.hostname]
                           },
                       ],
                       Priority=1,
                       Actions=[
                           {
                               'Type': 'redirect',
                               'RedirectConfig': {
                                   'Protocol': 'HTTPS',
                                   'Port': '443',
                                   'Host': '#{host}',
                                   'Path': '#{path}',
                                   'Query': '#{query}',
                                   'StatusCode': 'HTTP_301'
                               }
                           }
                       ]
                   )```

aws cli code:  aws-cli/1.14.9 Python/2.7.14 Linux/4.14.62-65.117.amzn1.x86_64 botocore/1.8.13

```aws elbv2 create-rule --listener-arn  arn:aws:elasticloadbalancing:us-east-1:152362558367:listener/app/6c20651a-demoapache-albdem-c8f3/c952cc7e0270a0e7/94a4ff8438b86216 --priority  1  --conditions Field=host-header,Values='*.example.com'  --actions '{"Type": "redirect","RedirectConfig": {"Protocol": "HTTPS","Port": "443","StatusCode": "HTTP_301"}}' --region us-east-1```

Parameter validation failed:
Unknown parameter in Actions[0]: "RedirectConfig", must be one of: Type, TargetGroupArn

I think this should be javascript but I'm not sure on the verbage.

Hi,

I'm following the awsdocs guide for setting up a Lambda as a target of an ALB.
It appears that the documentation around the response body may be out of date.

The docs state that the response body requires:

the response from your Lambda function must include the Base64 encoding status, status code, and headers. You can omit the body.

From:
https://github.com/awsdocs/elb-application-load-balancers-user-guide/blob/master/doc_source/lambda-functions.md#respond-to-the-load-balancer

However, I have this example lambda which responses successfully:

exports.handler = async (event, context, callback) => {
  const response = {
    statusCode: 200,
  }
  return response;
};

I believe the ALB uses default statusDescription, isBase64Encoded, and header values. I also recall that this information was previously required, and the ALB did not automatically set this information. I believe if any of these values are set to null, in node, or an equivalent data type from another language, the ALB will respond with a 502 response.

So I'm wondering if the response body information could be clarified in the documentation?
I'm also wondering if there's a documented list of statusDescription values an AWS ALB uses?

I deployed my Lambda using Serverless:

  Your Environment Information ---------------------------
     Operating System:          linux
     Node Version:              12.19.0
     Framework Version:         2.9.0
     Plugin Version:            4.1.1
     SDK Version:               2.3.2
     Components Version:        3.3.0

I'm wondering if the 8 IP addresses used by ALB in a subnet is documented ?

I can see it's documented for Classic and NLB:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-getting-started.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-backend-instances.html

Initial Problem: Slack requires a 3 second respond from a URL for a slack command.

Solution: I want an ALB, TG, Lambda(1), and Lambda(2). My ALB and TG will route requests to Lambda(1) which will then asynchronously call Lambda(2). Lambda(1) will return early while Lambda(2) will continue to do work. My Lambdas are in a VPC with private subnets.

Problem with my solution: When I 1) remove the VPC from my Lambda or 2) replace my Lambda's private subnets with public subnets, I can curl my ALB url to invoke my lambda. If I want to 3) keep my Lambda in its VPC and 4) keep its subnets private, when I curl my ALB url, it times out.

I don't see this documented in the Lambda_Functions.md file. Is 3 and 4 not possible? do I need to choose solution 1 or 2 to make sure my ALB can talk to my lambdas?

Thank you.

Need documentation or tutorial to outline the steps to setup Azure AD with ALB.

listener-authenticate-users.md does not have any information on how one might setup such an integration and which values need to be copied over from AAD

When reading https://github.com/awsdocs/elb-application-load-balancers-user-guide/blob/8eb8a547b1eae12ce91612407ac6cc048ddbdcb0/doc_source/listener-authenticate-users.md (or https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding ) , the URLs that are listed are :

use it to look up the public key from the following regional endpoint:

https://public-keys.auth.elb.region.amazonaws.com/key-id

For AWS GovCloud (US-West), the endpoint is as follows:

https://s3-us-gov-west-1.amazonaws.com/aws-elb-public-keys-prod-us-gov-west-1/key-id

For AWS GovCloud (US-East), the endpoint is as follows:

https://s3-us-gov-east-1.amazonaws.com/aws-elb-public-keys-prod-us-gov-east-1/key-id

In our case, we are not able to retrieve those public keys, when using authentication through Cognito in our ALB.

What does work is to infer the URL following the algorithm described in :
https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/ .... o in our case, appending .well-known/jwks.json at the very end of the issuer .

Are we missing something ?

VPC endpoint to Cognito for the ALB to reach the userpool without going over the internet is not possible.

The ALB will need internet access to reach out to the cognito service over port 443. A VPC endpoint would just give permission for the VPC to reach out to the ALB without access to it over the internet.

It's worth adding note in the doc https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html "note: it will not work on internal scheme ALB"

The syntax table includes two new fields:

• target:port_list
• target_status_code_list

They are not present in the access logs examples.

According to the syntax table, missing optional fields are denoted by a -. Real examples seem to conform to this.

Hi AWS docs team,

In the ELB load balancers documentation (

However, this is simply not true. The problem is that this token includes additional base64 padding, which is not allowed according to the JWT and JWS RFC's. The JWT RFC refers to the JWS RFC (7515) for the usage of Base64url Encoding and RFC 7515's definition of Base64url Encoding states that no padding is used (see https://datatracker.ietf.org/doc/html/rfc7515#section-2).

Deviating from the standard (while still claiming that this is a "JWT") puts JWT library implementations, such as golang-jwt in a tough spot, because for various reasons, such as security, we want to enforce the RFC / standard as close as humanly possible. On the other hand, we get demands from users using AWS services to support malformed tokens (for example see golang-jwt/jwt#92).

This is probably not the right place to start this discussion but for the lack of other means to communicate, I am trying my luck here. Please feel free to forward this to any team who might be more suitable.

I attempted a slight variation of this and this does not work. I had multiple application load balancers authenticating to the same user pool but with different(unique) cookie names. The concept of independent authentication didn't seem to exist as after the first authentication with one of the load balancers, the rest automatically signed me in without a need to reauthenticate.

The X-Amzn-Trace-Id syntax documentation notes:

An application can add arbitrary fields for its own purposes. The load balancer preserves these fields but does not use them.

Then under Limitations:

The load balancer updates the header when it receives an incoming request, not when it receives a response.

What's missing (for me) is how to set the application-added fields, if not from the application target. Does the client making the web request add that field in a request header? I'm guessing yes, but it could be a bit more explicit. Does the load balancer add X-Amzn-Trace-Id to the response, and if so, how do we guarantee that the client sends that value in the next request header?

I can probably experiment and find these answers, but, again, more specificity may be useful.

The three use cases laid out at the top of the article do not clearly map to the subsequent content sections.

The following use cases are supported:

Authenticate users through an identity provider (IdP) that is OpenID Connect (OIDC) compliant.

Authenticate users through well-known social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito.

Authenticate users through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito.

Hi

Just wondering if the following doc entry should be corrected (found whilst investigating an ELB issue).

Referring to the table describing the ELB log entry syntax.

For "response_processing_time" the description states "The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client.

This value is set to -1 if the load balancer can't send the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request."

Should the last paragraph be corrected to:
"
....
This value is set to -1 if the load balancer can't receive a response from a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request."

Hey together,

I tried to configure access logs for my ALB. I followed the instruction within this link:

Unfortunately, the instruction is not sufficient. This is a working example of a bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ALB_ACCOUNT_ID:root"
            },
            "Action": "s3:PutObject",
            "Resource": [
                 "arn:aws:s3:::logging-bucket/accesslogs-alb-frontend/AWSLogs/ACCOUNT_ID/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logdelivery.elb.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::logging-bucket/accesslogs-alb-frontend/AWSLogs/ACCOUNT_ID/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logdelivery.elb.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::logging-bucket"
        }
    ]
}

The important difference to AWS docs website, is this statement:

{
   "Effect": "Allow",
   "Principal": {"Service": "logdelivery.elb.amazonaws.com"},
   "Action": "s3:GetBucketAcl",
   "Resource": "arn:aws:s3:::logging-bucket"
}

But no pull request is needed, as your Github repo already holds this information

For a better reading experience, it would be nice to have the whole bucket permission and afterwards the table showing the alb account ids. Now you have a break within the sets.

Please update your docs :-).

Do Application Load Balancer access logs currently support S3 buckets with KMS encryption (SSE-KMS) enabled?

The current documentation has no mention of support for encryption besides SSE-KMS:

You can enable server-side encryption for your Amazon S3 access log bucket using Amazon S3-Managed Encryption Keys (SSE-S3).
For more information, see Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) and in the Amazon Simple Storage Service User Guide.

A previous version of the documentation explicitly said that only SSE-S3 is supported:

Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.

Was there any recent change which added support for SSE-KMS?

Hi, I would like to create a new PR to add ap-southeast-3 to the elb-account-id table. But, the table on github is just linking to the docs.aws.amazon.com website.

Does anyone know how to add this detail to the docs.aws.amazon.com website?

Because clicking the Edit this page on GitHub link at the bottom of that page brings me to this repo.

Thank you.

Hi, in relation to https://github.com/awsdocs/elb-application-load-balancers-user-guide/blob/master/doc_source/load-balancer-access-logs.md:

1. Can you please add an example that shows matched_rule_priority, request_creation_time and actions_executed
2. Can you please fix the existing Example HTTPS Entry example to show that domain_name and chosen_cert_arn are surrounded by double quotes
3. In the syntax section, can you please highlight (as you have for request), that the following fields also have double quotes:
   a. user_agent
   b. trace_id
   c. domain_name
   d. chosen_cert_arn
   e. actions_executed
4. In the syntax section, can you please clarify that the following fields are seconds with millisecond precision:
   a. request_processing_time
   b. target_processing_time
   c. response_processing_time

Thanks!