AWS Lambda plugin | Kong Docs

Invoke an AWS Lambda function from Kong. The AWS Lambda plugin can be used in combination with other request plugins to secure, manage, or extend the function.

Configuration Reference

This plugin is compatible with DB-less mode.

In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:

Setting a target's health status in the load balancer
Validating configurations against schemas
Uploading the declarative configuration using the /config endpoint

Example plugin configuration

Enable on a service

Enable on a route

Enable on a consumer

Enable globally

The following examples provide some typical configurations for enabling the aws-lambda plugin on a service.

Admin API

Kubernetes

Declarative (YAML)

Konnect Cloud

Kong Manager

Make the following request:

curl -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
    --data "name=aws-lambda"  \
    --data-urlencode "config.aws_key=<AWS_KEY>" \
    --data-urlencode "config.aws_secret=<AWS_SECRET>" \
    --data "config.aws_region=<AWS_REGION>" \
    --data "config.aws_assume_role_arn=<AWS_ASSUME_ROLE_ARN>" \
    --data "config.aws_role_session_name=<AWS_ROLE_SESSION_NAME>" \
    --data "config.function_name=<LAMBDA_FUNCTION_NAME>" \
    --data "config.proxy_url=http://my-proxy-server:3128"

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: aws-lambda-example
config: 
  aws_key: <AWS_KEY>
  aws_secret: <AWS_SECRET>
  aws_region: <AWS_REGION>
  aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
  aws_role_session_name: <AWS_ROLE_SESSION_NAME>
  function_name: <LAMBDA_FUNCTION_NAME>
  proxy_url: http://my-proxy-server:3128
plugin: aws-lambda

Next, apply the KongPlugin resource to a service by annotating the service as follows:

apiVersion: v1
kind: Service
metadata:
  name: SERVICE_NAME|SERVICE_ID
  labels:
    app: SERVICE_NAME|SERVICE_ID
  annotations:
    konghq.com/plugins: aws-lambda-example
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: SERVICE_NAME|SERVICE_ID
  selector:
    app: SERVICE_NAME|SERVICE_ID

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: aws-lambda
  service: SERVICE_NAME|SERVICE_ID
  config: 
    aws_key: <AWS_KEY>
    aws_secret: <AWS_SECRET>
    aws_region: <AWS_REGION>
    aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
    aws_role_session_name: <AWS_ROLE_SESSION_NAME>
    function_name: <LAMBDA_FUNCTION_NAME>
    proxy_url: http://my-proxy-server:3128

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

You can configure this plugin through the Konnect UI.

From the Service Hub, select a service version, then set up the plugin:

In the Plugins section, click Add Plugin.
Find and select the AWS Lambda plugin.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

You can configure this plugin through the Kong Manager UI.

In Kong Manager, select the workspace.
From the Services section, click View for the service row.
From the plugin section, click Add Plugin.
Find and select the AWS Lambda plugin.
If the option is available, select Scoped.
Add the service name and ID to the Service field if it is not already pre-filled.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

The following examples provide some typical configurations for enabling the aws-lambda plugin on a route.

Admin API

Kubernetes

Declarative (YAML)

Konnect Cloud

Kong Manager

Make the following request:

curl -X POST http://localhost:8001/routes/ROUTE_NAME|ROUTE_ID/plugins \
  --data "name=aws-lambda"  \
    --data-urlencode "config.aws_key=<AWS_KEY>" \
    --data-urlencode "config.aws_secret=<AWS_SECRET>" \
    --data "config.aws_region=<AWS_REGION>" \
    --data "config.aws_assume_role_arn=<AWS_ASSUME_ROLE_ARN>" \
    --data "config.aws_role_session_name=<AWS_ROLE_SESSION_NAME>" \
    --data "config.function_name=<LAMBDA_FUNCTION_NAME>" \
    --data "config.proxy_url=http://my-proxy-server:3128"

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: aws-lambda-example
config: 
  aws_key: <AWS_KEY>
  aws_secret: <AWS_SECRET>
  aws_region: <AWS_REGION>
  aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
  aws_role_session_name: <AWS_ROLE_SESSION_NAME>
  function_name: <LAMBDA_FUNCTION_NAME>
  proxy_url: http://my-proxy-server:3128
plugin: aws-lambda

Then, apply it to an ingress (route or routes) by annotating the ingress as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ROUTE_NAME|ROUTE_ID
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: aws-lambda-example
spec:
  rules:
  - host: examplehostname.com
    http:
      paths:
      - path: /bar
        backend:
          service:
            name: echo
            port:
              number: 80

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: aws-lambda
  route: ROUTE_NAME
  config: 
    aws_key: <AWS_KEY>
    aws_secret: <AWS_SECRET>
    aws_region: <AWS_REGION>
    aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
    aws_role_session_name: <AWS_ROLE_SESSION_NAME>
    function_name: <LAMBDA_FUNCTION_NAME>
    proxy_url: http://my-proxy-server:3128

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

You can configure this plugin through the Konnect UI.

From the Service Hub, select a service version, then set up the plugin:

Select a route.
In the Plugins section, click Add Plugin.
Find and select the AWS Lambda plugin.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

You can configure this plugin through the Kong Manager UI.

In Kong Manager, select the workspace.
Open Routes from the menu, then click View for the route row.
From the plugin section, click Add Plugin.
Find and select the AWS Lambda plugin.
If the option is available, select Scoped.
Add the route ID if it is not already prefilled.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

The following examples provide some typical configurations for enabling the aws-lambda plugin on a consumer.

Admin API

Kubernetes

Declarative (YAML)

Kong Manager

Make the following request:

curl -X POST http://localhost:8001/consumers/CONSUMER_NAME|CONSUMER_ID/plugins \
  --data "name=aws-lambda"  \
    --data-urlencode "config.aws_key=<AWS_KEY>" \
    --data-urlencode "config.aws_secret=<AWS_SECRET>" \
    --data "config.aws_region=<AWS_REGION>" \
    --data "config.aws_assume_role_arn=<AWS_ASSUME_ROLE_ARN>" \
    --data "config.aws_role_session_name=<AWS_ROLE_SESSION_NAME>" \
    --data "config.function_name=<LAMBDA_FUNCTION_NAME>" \
    --data "config.proxy_url=http://my-proxy-server:3128"

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

You can combine consumer.id, service.id, or route.id in the same request, to further narrow the scope of the plugin.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: aws-lambda-example
config: 
  aws_key: <AWS_KEY>
  aws_secret: <AWS_SECRET>
  aws_region: <AWS_REGION>
  aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
  aws_role_session_name: <AWS_ROLE_SESSION_NAME>
  function_name: <LAMBDA_FUNCTION_NAME>
  proxy_url: http://my-proxy-server:3128
plugin: aws-lambda

Then, apply it to a consumer by annotating the KongConsumer resource as follows:

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: CONSUMER_NAME|CONSUMER_ID
  annotations:
    konghq.com/plugins: aws-lambda-example
    kubernetes.io/ingress.class: kong

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: aws-lambda
  consumer: CONSUMER_NAME|CONSUMER_ID
  config: 
    aws_key: <AWS_KEY>
    aws_secret: <AWS_SECRET>
    aws_region: <AWS_REGION>
    aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
    aws_role_session_name: <AWS_ROLE_SESSION_NAME>
    function_name: <LAMBDA_FUNCTION_NAME>
    proxy_url: http://my-proxy-server:3128

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

You can configure this plugin through the Kong Manager UI.

In Kong Manager, select the workspace.
From the Consumers section, click View for the consumer row.
Select the Plugins tab, then click Add Plugin.
Find and select the AWS Lambda plugin.
If the option is available, select Scoped.
Add the consumer ID if it is not already prefilled.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the aws-lambda plugin globally.

Admin API

Kubernetes

Declarative (YAML)

Kong Manager

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
  --data "name=aws-lambda"  \
    --data-urlencode "config.aws_key=<AWS_KEY>" \
    --data-urlencode "config.aws_secret=<AWS_SECRET>" \
    --data "config.aws_region=<AWS_REGION>" \
    --data "config.aws_assume_role_arn=<AWS_ASSUME_ROLE_ARN>" \
    --data "config.aws_role_session_name=<AWS_ROLE_SESSION_NAME>" \
    --data "config.function_name=<LAMBDA_FUNCTION_NAME>" \
    --data "config.proxy_url=http://my-proxy-server:3128"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-aws-lambda>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  aws_key: <AWS_KEY>
  aws_secret: <AWS_SECRET>
  aws_region: <AWS_REGION>
  aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
  aws_role_session_name: <AWS_ROLE_SESSION_NAME>
  function_name: <LAMBDA_FUNCTION_NAME>
  proxy_url: http://my-proxy-server:3128
plugin: aws-lambda

Add a plugins entry in the declarative configuration file:

plugins:
- name: aws-lambda
  config: 
    aws_key: <AWS_KEY>
    aws_secret: <AWS_SECRET>
    aws_region: <AWS_REGION>
    aws_assume_role_arn: <AWS_ASSUME_ROLE_ARN>
    aws_role_session_name: <AWS_ROLE_SESSION_NAME>
    function_name: <LAMBDA_FUNCTION_NAME>
    proxy_url: http://my-proxy-server:3128

You can configure this plugin through the Kong Manager UI.

In Kong Manager, select the workspace.
Open Plugins from the menu, then click New Plugin.
Find and select the AWS Lambda plugin.
If the option is available, set the plugin scope to Global.
Configure the plugin’s parameters.

You can test out the plugin with the following sample configuration:
- Config.Function Name: <LAMBDA_FUNCTION_NAME>
Click Create.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description

Form Parameter	Description
`name` required Type: string	The name of the plugin, in this case `aws-lambda`.
`instance_name` optional Type: string	An optional custom name to identify an instance of the plugin, for example `aws-lambda_my-service`. Useful when running the same plugin in multiple contexts, for example, on multiple services.
`service.name` or `service.id` optional Type: string	The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level `/plugins` endpoint. Not required if using `/services/SERVICE_NAME\|SERVICE_ID/plugins`.
`route.name` or `route.id` optional Type: string	The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level `/plugins` endpoint. Not required if using `/routes/ROUTE_NAME\|ROUTE_ID/plugins`.
`consumer.name` or `consumer.id` optional Type: string	The name or ID of the consumer the plugin targets. Set one of these parameters if adding the plugin to a consumer through the top-level `/plugins` endpoint. Not required if using `/consumers/CONSUMER_NAME\|CONSUMER_ID/plugins`.
`enabled` optional Type: boolean Default value: `true`	Whether this plugin will be applied.
`config.aws_key` semi-optional Type: string	The AWS key credential to be used when invoking the function. The `aws_key` value is required if `aws_secret` is defined. If `aws_key` and `aws_secret` are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured. If keyring database encryption is enabled, this value will be encrypted. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`config.aws_secret` semi-optional Type: string	The AWS secret credential to be used when invoking the function. The `aws_secret` value is required if `aws_key` is defined. If `aws_key` and `aws_secret` are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured. If keyring database encryption is enabled, this value will be encrypted. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`config.aws_region` semi-optional Type: string	The AWS region where the Lambda function is located. The plugin does not attempt to validate the supplied region name. The plugin has two methods of detecting the AWS region: the `aws_region` parameter, or one of the `AWS_REGION` or `AWS_DEFAULT_REGION` environment variables. One of these must be set. If `region` is not specified in plugin configuration, the plugin automatically detects the AWS region on runtime via one of the environment variables. Using environment variables enables regionally distributed Kong cluster nodes to connect to the closest AWS region. The AWS region is required for AWS SigV4. If `aws_region` or the `AWS_REGION` or `AWS_DEFAULT_REGION` environment variables have not been specified, or an invalid region name has been provided, the plugin responds with an HTTP `500 Internal Server Error` at runtime.
`config.aws_assume_role_arn` optional Type: string	The target AWS IAM role ARN used to invoke the Lambda function. Typically this is used for a cross-account Lambda function invocation. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
`config.aws_role_session_name` optional Type: string Default value: `kong`	The identifier of the assumed role session. It is used for uniquely identifying a session when the same target role is assumed by different principals or for different reasons. The role session name is also used in the ARN of the assumed role principle.
`config.host` optional Type: string	The host where the Lambda function is located. This value can point to a local Lambda server, allowing for easier debugging. To set a region, use the `aws_region` parameter.
`config.function_name` required Type: string	The AWS Lambda function name to invoke. This may contain the function name only (`my-function`), the full ARN (arn:aws:lambda:us-west-2:123456789012:function:my-function) or a partial ARN (123456789012:function:my-function). You can also append a version number or alias to any of the formats.
`config.qualifier` optional Type: string	The `Qualifier` to use when invoking the function.
`config.invocation_type` required Type: string Default value: `RequestResponse`	The `InvocationType` to use when invoking the function. Available types are `RequestResponse`, `Event`, `DryRun`.
`config.log_type` required Type: string Default value: `Tail`	The `LogType` to use when invoking the function. By default, `None` and `Tail` are supported.
`config.timeout` required Type: number Default value: `60000`	An optional timeout in milliseconds when invoking the function.
`config.port` optional Type: integer Default value: `443`	The TCP port that the plugin uses to connect to the server.
`config.keepalive` required Type: number Default value: `60000`	An optional value in milliseconds that defines how long an idle connection lives before being closed.
`config.unhandled_status` optional Type: integer Default value: `200, 202, or 204`	The response status code to use (instead of the default `200`, `202`, or `204`) in the case of an `Unhandled` Function Error.
`config.forward_request_body` optional Type: boolean Default value: `false`	An optional value that defines whether the request body is sent in the `request_body` field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate `request_body_args` field of the request. The body arguments can be parsed for `application/json`, `application/x-www-form-urlencoded`, and `multipart/form-data` content types.
`config.forward_request_headers` optional Type: boolean Default value: `false`	An optional value that defines whether the original HTTP request headers are sent as a map in the `request_headers` field of the JSON-encoded request.
`config.forward_request_method` optional Type: boolean Default value: `false`	An optional value that defines whether the original HTTP request method verb is sent in the `request_method` field of the JSON-encoded request.
`config.forward_request_uri` optional Type: boolean Default value: `false`	An optional value that defines whether the original HTTP request URI is sent in the `request_uri` field of the JSON-encoded request. Request URI arguments (if any) are sent in the separate `request_uri_args` field of the JSON body.
`config.is_proxy_integration` optional Type: boolean Default value: `false`	An optional value that defines whether the response format to receive from the Lambda to this format.
`config.awsgateway_compatible` optional Type: boolean Default value: `false`	An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.
`config.proxy_url` semi-optional Type: string	An optional value that defines whether the plugin should connect through the given proxy server URL. Include the request scheme in the URL, which must be `http`. For example: `http://my-proxy-server:3128`. Kong Gateway uses HTTP tunneling via the CONNECT HTTP method so that no details of the AWS Lambda request are leaked to the proxy server.
`config.skip_large_bodies` optional Type: boolean Default value: `true`	An optional value that defines whether Kong should send large bodies that are buffered to disk. Note that enabling this option will have an impact on system memory depending on the number of requests simultaneously in flight at any given point in time and on the maximum size of each request. Also this option blocks all requests being handled by the nginx workers. That could be tens of thousands of other transactions that are not being processed. For small I/O operations, such a delay would generally not be problematic. In cases where the body size is in the order of MB, such a delay would cause notable interruptions in request processing. Given all of the potential downsides resulting from enabling this option, consider increasing the client_body_buffer_size value instead.
`config.base64_encode_body` optional Type: boolean Default value: `true`	An optional value that Base64-encodes the request body.
`config.aws_imds_protocol_version` required Type: string Default value: `v1`	Identifier to select the IMDS protocol version to use, either `v1` or `v2`. If `v2` is selected, an additional session token is requested from the EC2 metadata service by the plugin to secure the retrieval of the EC2 instance role. Note that if {{site.base_gateway}} is running inside a container on an EC2 instance, the EC2 instance metadata must be configured accordingly. Please refer to “Considerations” section in the “Retrieve instance metadata” section of the EC2 manual for details.

name

required

Type: string

The name of the plugin, in this case aws-lambda.

instance_name

optional

Type: string

An optional custom name to identify an instance of the plugin, for example aws-lambda_my-service.

Useful when running the same plugin in multiple contexts, for example, on multiple services.

service.name or service.id

optional

Type: string

The name or ID of the service the plugin targets.

Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint.

Not required if using /services/SERVICE_NAME|SERVICE_ID/plugins.

route.name or route.id

optional

Type: string

The name or ID of the route the plugin targets.

Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint.

Not required if using /routes/ROUTE_NAME|ROUTE_ID/plugins.

consumer.name or consumer.id

optional

Type: string

The name or ID of the consumer the plugin targets.

Set one of these parameters if adding the plugin to a consumer through the top-level /plugins endpoint.

Not required if using /consumers/CONSUMER_NAME|CONSUMER_ID/plugins.

enabled

optional

Type: boolean

Default value: true

Whether this plugin will be applied.

config.aws_key

semi-optional

Type: string

The AWS key credential to be used when invoking the function. The aws_key value is required if aws_secret is defined. If aws_key and aws_secret are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured.

If keyring database encryption is enabled, this value will be encrypted.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.aws_secret

semi-optional

Type: string

The AWS secret credential to be used when invoking the function. The aws_secret value is required if aws_key is defined. If aws_key and aws_secret are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured.

If keyring database encryption is enabled, this value will be encrypted.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.aws_region

semi-optional

Type: string

The AWS region where the Lambda function is located. The plugin does not attempt to validate the supplied region name.

The plugin has two methods of detecting the AWS region: the aws_region parameter, or one of the AWS_REGION or AWS_DEFAULT_REGION environment variables. One of these must be set.

If region is not specified in plugin configuration, the plugin automatically detects the AWS region on runtime via one of the environment variables. Using environment variables enables regionally distributed Kong cluster nodes to connect to the closest AWS region.

The AWS region is required for AWS SigV4. If aws_region or the AWS_REGION or AWS_DEFAULT_REGION environment variables have not been specified, or an invalid region name has been provided, the plugin responds with an HTTP 500 Internal Server Error at runtime.

config.aws_assume_role_arn

optional

Type: string

The target AWS IAM role ARN used to invoke the Lambda function. Typically this is used for a cross-account Lambda function invocation.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.aws_role_session_name

optional

Type: string

Default value: kong

The identifier of the assumed role session. It is used for uniquely identifying a session when the same target role is assumed by different principals or for different reasons. The role session name is also used in the ARN of the assumed role principle.

config.host

optional

Type: string

The host where the Lambda function is located. This value can point to a local Lambda server, allowing for easier debugging.

To set a region, use the aws_region parameter.

config.function_name

required

Type: string

The AWS Lambda function name to invoke. This may contain the function name only (my-function), the full ARN (arn:aws:lambda:us-west-2:123456789012:function:my-function) or a partial ARN (123456789012:function:my-function). You can also append a version number or alias to any of the formats.

config.qualifier

optional

Type: string

The Qualifier to use when invoking the function.

config.invocation_type

required

Type: string

Default value: RequestResponse

The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.

config.log_type

required

Type: string

Default value: Tail

The LogType to use when invoking the function. By default, None and Tail are supported.

config.timeout

required

Type: number

Default value: 60000

An optional timeout in milliseconds when invoking the function.

config.port

optional

Type: integer

Default value: 443

The TCP port that the plugin uses to connect to the server.

config.keepalive

required

Type: number

Default value: 60000

An optional value in milliseconds that defines how long an idle connection lives before being closed.

config.unhandled_status

optional

Type: integer

Default value: 200, 202, or 204

The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.

config.forward_request_body

optional

Type: boolean

Default value: false

An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. The body arguments can be parsed for application/json, application/x-www-form-urlencoded, and multipart/form-data content types.

config.forward_request_headers

optional

Type: boolean

Default value: false

An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.

config.forward_request_method

optional

Type: boolean

Default value: false

An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.

config.forward_request_uri

optional

Type: boolean

Default value: false

An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request. Request URI arguments (if any) are sent in the separate request_uri_args field of the JSON body.

config.is_proxy_integration

optional

Type: boolean

Default value: false

An optional value that defines whether the response format to receive from the Lambda to this format.

config.awsgateway_compatible

optional

Type: boolean

Default value: false

An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.

config.proxy_url

semi-optional

Type: string

An optional value that defines whether the plugin should connect through the given proxy server URL. Include the request scheme in the URL, which must be http. For example: http://my-proxy-server:3128.

Kong Gateway uses HTTP tunneling via the CONNECT HTTP method so that no details of the AWS Lambda request are leaked to the proxy server.

config.skip_large_bodies

optional

Type: boolean

Default value: true

An optional value that defines whether Kong should send large bodies that are buffered to disk. Note that enabling this option will have an impact on system memory depending on the number of requests simultaneously in flight at any given point in time and on the maximum size of each request. Also this option blocks all requests being handled by the nginx workers. That could be tens of thousands of other transactions that are not being processed. For small I/O operations, such a delay would generally not be problematic. In cases where the body size is in the order of MB, such a delay would cause notable interruptions in request processing. Given all of the potential downsides resulting from enabling this option, consider increasing the client_body_buffer_size value instead.

config.base64_encode_body

optional

Type: boolean

Default value: true

An optional value that Base64-encodes the request body.

config.aws_imds_protocol_version

required

Type: string

Default value: v1

Identifier to select the IMDS protocol version to use, either v1 or v2. If v2 is selected, an additional session token is requested from the EC2 metadata service by the plugin to secure the retrieval of the EC2 instance role. Note that if {{site.base_gateway}} is running inside a container on an EC2 instance, the EC2 instance metadata must be configured accordingly. Please refer to “Considerations” section in the “Retrieve instance metadata” section of the EC2 manual for details.

Reminder: By default, cURL sends payloads with an application/x-www-form-urlencoded MIME type, which will naturally be URL- decoded by Kong. To ensure special characters that are likely to appear in your AWS key or secret (like +) are correctly decoded, you must URL-encode them with --data-urlencode. Alternatives to this approach would be to send your payload with a different MIME type (like application/json), or to use a different HTTP client.

Sending parameters

Any form parameter sent along with the request is also sent as an argument to the AWS Lambda function.

Notes

If you provide aws_key and aws_secret, they will be used in the highest priority to invoke the Lambda function.

If you do not provide an aws_key and aws_secret, the plugin uses an IAM role inherited from the instance running Kong.

For example, if you’re running Kong on an EC2 instance, the IAM role that attached to the EC2 will be used, and Kong will fetch the credential from the EC2 Instance Metadata service(IMDSv1). If you’re running Kong in an ECS container, the task IAM role will be used, and Kong will fetch the credentials from the container credential provider. Note that the plugin will first try to fetch from ECS metadata to get the role, and if no ECS metadata related environment variables are available, the plugin falls back on EC2 metadata.

If you also provide the aws_assume_role_arn option, the plugin will try to perform an additional AssumeRole action, which requires the Kong process to make HTTPS request to AWS STS service API, after configuring AWS access key/secret or fetching credentials automatically from EC2/ECS IAM roles. If it succeeds, the plugin will fetch a temporary security credentials that represents that the plugin now has the access permission configured in the target assumed role.

AWS region as environment variable

If the plugin configuration aws_region is unset, the plugin attempts to obtain the AWS region through environment variables AWS_REGION and AWS_DEFAULT_REGION, with the former taking higher precedence. For example, if both AWS_REGION and AWS_DEFAULT_REGION are set, the AWS_REGION value is used; otherwise, if only AWS_DEFAULT_REGION is set, its value is used. If neither configuration aws_region nor environment variables are set, a run-time error “no region or host specified” will be thrown.

Usage

Prerequisite: You must have access to the AWS Console as a user who is allowed to operate with lambda functions, and create users and roles.

First, create an execution role called LambdaExecutor for your lambda function.

In the IAM Console, create a new Role choosing the AWS Lambda service. There will be no policies because the function in this example will simply execute itself, returning a hardcoded JSON response without accessing other AWS resources.
Create a user named KongInvoker, used by the Kong API gateway to invoke the function.

In the IAM Console, create a new user. Programmatic access must be provided to the user via Access and Secret keys. Then, attach existing policies directly, particularly the predefined AWSLambdaRole. After the user creation is confirmed, store the Access Key and Secret Key in a safe place.
Next, create the lambda function itself in the N. Virginia Region (code us-east-1).

In Lambda Management, create a new function MyLambda. There will be no blueprint because you are going to paste the code below (which is an example code snippet). For the execution role, choose the LambdaExecutor created previously.

Note: The following code snippet is only an example. The Kong AWS Lambda plugin supports all runtimes provided by AWS. See the list of runtimes in the AWS Lambda > Functions > Create function dialog.
```
 import json
 def lambda_handler(event, context):
     """
       If is_proxy_integration is set to true :
       jsonbody='''{"statusCode": 200, "body": {"response": "yes"}}'''
     """
     jsonbody='''{"response": "yes"}'''
     return json.loads(jsonbody)
```
Test the lambda function from the AWS console and make sure the execution succeeds.
Set up a route in Kong and link it to the MyLambda function you just created.

With a database

Without a database

Create the route:

curl -i -X POST http://<kong_hostname>:8001/routes \
--data 'name=lambda1' \
--data 'paths[1]=/lambda1'

Add the plugin:

curl -i -X POST http://<kong_hostname>:8001/routes/lambda1/plugins \
--data 'name=aws-lambda' \
--data-urlencode 'config.aws_key={KongInvoker user key}' \
--data-urlencode 'config.aws_secret={KongInvoker user secret}' \
--data 'config.aws_region=us-east-1' \
--data 'config.function_name=MyLambda'

Add a route and plugin to the declarative config file:

routes:
- name: lambda1
  paths: [ "/lambda1" ]

plugins:
- route: lambda1
  name: aws-lambda
  config:
    aws_key: {KongInvoker user key}
    aws_secret: {KongInvoker user secret}
    aws_region: us-east-1
    function_name: MyLambda

Test your Lambda with Kong

After everything is created, make the http request and verify the correct invocation, execution, and response:

curl http://<kong_hostname>:8000/lambda1

Additional headers:

x-amzn-Remapped-Content-Length, X-Amzn-Trace-Id, x-amzn-RequestId

JSON response:

{"response": "yes"}

Have fun leveraging the power of AWS Lambda in Kong!

Changelog

Kong Gateway 3.1.x

Added a requestContext field into awsgateway_compatible input data. #9380

Kong Gateway 3.0.x

The proxy_scheme configuration parameter has been removed from the plugin.
The plugin now allows both aws_region and host to be set at the same time.

Kong Gateway 2.8.x

The proxy_scheme configuration parameter is deprecated and planned to be removed in 3.x.x.
Kong Gateway 2.8.1.3: Added support for cross account invocation through configuration properties aws_assume_role_arn and aws_role_session_name.

Kong Gateway 2.7.x

Starting with Kong Gateway 2.7.0.0, if keyring encryption is enabled, the config.aws_key and config.aws_secret parameter values will be encrypted.

Kong Gateway 2.6.x

The AWS region can now be set with the environment variables: AWS_REGION or AWS_DEFAULT_REGION.

Kong Gateway 2.2.x

Added support for isBase64Encoded flag in Lambda function responses.

Kong Gateway 2.1.x

Added host configuration to allow for custom Lambda endpoints.

About this Plugin
Plugin Version	3.2.x
Made by	Kong Inc.
Categories	Serverless
DB-less compatible?	Yes
Konnect Cloud compatible?	Yes
Compatible protocols	`http` `https` `grpc` `grpcs`