Looking for the plugin's configuration parameters? You can find them in the AWS Lambda configuration reference doc.
This plugin lets you invoke an AWS Lambda function from Kong Gateway. The AWS Lambda plugin can be used in combination with other request plugins to secure, manage, or extend the function.
Any form parameter sent along with the request is also sent as an argument to the AWS Lambda function.
Notes
By default, cURL sends payloads with an
application/x-www-form-urlencoded
MIME type, which will naturally be URL-
decoded by Kong. To ensure special characters that are likely to appear in
your AWS key or secret (like +
) are correctly decoded, you must
URL-encode them with --data-urlencode
.
Alternatives to this approach would be to send your payload with a
different MIME type (like application/json
), or to use a different HTTP client.
If you provide aws_key
and aws_secret
, they will be used in the highest priority to
invoke the Lambda function.
If you do not provide an aws_key
and aws_secret
, the plugin uses an IAM role inherited
from the instance running Kong.
For example, if you’re running Kong on an EC2 instance, the IAM role that attached to the EC2 will be used, and Kong will fetch the credential from the EC2 Instance Metadata service(IMDSv1). If you’re running Kong in an ECS container, the task IAM role will be used, and Kong will fetch the credentials from the container credential provider. Note that the plugin will first try to fetch from ECS metadata to get the role, and if no ECS metadata related environment variables are available, the plugin falls back on EC2 metadata.
If you also provide the aws_assume_role_arn
option, the plugin will try to perform
an additional AssumeRole
action, which requires the Kong process to make HTTPS request to AWS STS service API, after
configuring AWS access key/secret or fetching credentials automatically from EC2/ECS IAM roles.
If it succeeds, the plugin will fetch a temporary security credentials that represents
that the plugin now has the access permission configured in the target assumed role.
AWS region as environment variable
If the plugin configuration aws_region
is unset, the plugin attempts to obtain the
AWS region through environment variables AWS_REGION
and AWS_DEFAULT_REGION
,
with the former taking higher precedence. For example, if both AWS_REGION
and
AWS_DEFAULT_REGION
are set, the AWS_REGION
value is used; otherwise, if only
AWS_DEFAULT_REGION
is set, its value is used. If neither configuration aws_region
nor environment variables are set, a run-time error “no region or host specified”
will be thrown.
Usage
Prerequisite: You must have access to the AWS Console as a user who is allowed to operate with lambda functions, and create users and roles.
-
First, create an execution role called
LambdaExecutor
for your lambda function.In the IAM Console, create a new Role choosing the AWS Lambda service. There will be no policies because the function in this example will simply execute itself, returning a hardcoded JSON response without accessing other AWS resources.
-
Create a user named
KongInvoker
, used by the Kong API gateway to invoke the function.In the IAM Console, create a new user. Programmatic access must be provided to the user via Access and Secret keys. Then, attach existing policies directly, particularly the predefined
AWSLambdaRole
. After the user creation is confirmed, store the Access Key and Secret Key in a safe place. -
Next, create the lambda function itself in the N. Virginia Region (code
us-east-1
).In Lambda Management, create a new function
MyLambda
. There will be no blueprint because you are going to paste the code below (which is an example code snippet). For the execution role, choose theLambdaExecutor
created previously.Note: The following code snippet is only an example. The Kong AWS Lambda plugin supports all runtimes provided by AWS. See the list of runtimes in the AWS Lambda > Functions > Create function dialog.
import json def lambda_handler(event, context): """ If is_proxy_integration is set to true : jsonbody='''{"statusCode": 200, "body": {"response": "yes"}}''' """ jsonbody='''{"response": "yes"}''' return json.loads(jsonbody)
Test the lambda function from the AWS console and make sure the execution succeeds.
-
Set up a route in Kong and link it to the
MyLambda
function you just created.
Test your Lambda with Kong
After everything is created, make the http request and verify the correct invocation, execution, and response:
curl http://<kong_hostname>:8000/lambda1
Additional headers:
x-amzn-Remapped-Content-Length, X-Amzn-Trace-Id, x-amzn-RequestId
JSON response:
{"response": "yes"}
Have fun leveraging the power of AWS Lambda in Kong!