You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The AWS Lambda plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
name or plugin
string requiredThe name of the plugin, in this case
aws-lambda
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
instance_name
stringAn optional custom name to identify an instance of the plugin, for example
aws-lambda_my-service
.The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.
An instance name must be unique within the following context:
- Within a workspace for Kong Gateway Enterprise
- Within a control plane or control plane group for Konnect
- Globally for Kong Gateway (OSS)
-
service.name or service.id
stringThe name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
route.name or route.id
stringThe name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
consumer.name or consumer.id
stringThe name or ID of the consumer the plugin targets. Set one of these parameters if adding the plugin to a consumer through the top-level
/plugins
endpoint. Not required if using/consumers/{consumerName|Id}/plugins
. -
enabled
boolean default:true
Whether this plugin will be applied.
-
config
record required-
timeout
number required default:60000
An optional timeout in milliseconds when invoking the function.
-
keepalive
number required default:60000
An optional value in milliseconds that defines how long an idle connection lives before being closed.
-
aws_key
string referenceable encryptedThe AWS key credential to be used when invoking the function. The
aws_key
value is required ifaws_secret
is defined. Ifaws_key
andaws_secret
are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured.
-
aws_secret
string referenceable encryptedThe AWS secret credential to be used when invoking the function. The
aws_secret
value is required ifaws_key
is defined. Ifaws_key
andaws_secret
are not set, the plugin uses an IAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted if using Kong Gateway and data encryption is configured.
-
aws_assume_role_arn
string referenceable encryptedThe target AWS IAM role ARN used to invoke the Lambda function. Typically this is used for a cross-account Lambda function invocation.
-
aws_role_session_name
string default:kong
The identifier of the assumed role session. It is used for uniquely identifying a session when the same target role is assumed by different principals or for different reasons. The role session name is also used in the ARN of the assumed role principle.
-
aws_region
stringThe AWS region where the Lambda function is located. The plugin does not attempt to validate the supplied region name.
The plugin has two methods of detecting the AWS region: the
aws_region
parameter, or one of theAWS_REGION
orAWS_DEFAULT_REGION
environment variables. One of these must be set.If
region
is not specified in plugin configuration, the plugin automatically detects the AWS region on runtime via one of the environment variables. Using environment variables enables regionally distributed Kong cluster nodes to connect to the closest AWS region.The AWS region is required for AWS SigV4. If
aws_region
or theAWS_REGION
orAWS_DEFAULT_REGION
environment variables have not been specified, or an invalid region name has been provided, the plugin responds with an HTTP500 Internal Server Error
at runtime.
-
function_name
stringThe AWS Lambda function name to invoke. This may contain the function name only (
my-function
), the full ARN (arn:aws:lambda:us-west-2:123456789012:function:my-function) or a partial ARN (123456789012:function:my-function). You can also append a version number or alias to any of the formats.
-
qualifier
stringThe
Qualifier
to use when invoking the function.
-
invocation_type
string required default:RequestResponse
Must be one of:RequestResponse
,Event
,DryRun
The
InvocationType
to use when invoking the function. Available types areRequestResponse
,Event
,DryRun
.
-
log_type
string required default:Tail
Must be one of:Tail
,None
-
host
stringThe host where the Lambda function is located. This value can point to a local Lambda server, allowing for easier debugging.
To set a region, use the
aws_region
parameter.
-
port
integer default:443
between:0
65535
The TCP port that the plugin uses to connect to the server.
-
unhandled_status
integer between:100
999
The response status code to use (instead of the default
200
,202
, or204
) in the case of anUnhandled
Function Error.
-
forward_request_method
boolean default:false
An optional value that defines whether the original HTTP request method verb is sent in the
request_method
field of the JSON-encoded request.
-
forward_request_uri
boolean default:false
An optional value that defines whether the original HTTP request URI is sent in the
request_uri
field of the JSON-encoded request. Request URI arguments (if any) are sent in the separaterequest_uri_args
field of the JSON body.
-
forward_request_headers
boolean default:false
An optional value that defines whether the original HTTP request headers are sent as a map in the
request_headers
field of the JSON-encoded request.
-
forward_request_body
boolean default:false
An optional value that defines whether the request body is sent in the
request_body
field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separaterequest_body_args
field of the request. The body arguments can be parsed forapplication/json
,application/x-www-form-urlencoded
, andmultipart/form-data
content types.
-
is_proxy_integration
boolean default:false
An optional value that defines whether the response format to receive from the Lambda to this format.
-
awsgateway_compatible
boolean default:false
An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.
-
proxy_url
stringAn optional value that defines whether the plugin should connect through the given proxy server URL. Include the request scheme in the URL, which must be
http
. For example:http://my-proxy-server:3128
.Kong Gateway uses HTTP tunneling via the CONNECT HTTP method so that no details of the AWS Lambda request are leaked to the proxy server.
-
skip_large_bodies
boolean default:true
An optional value that defines whether Kong should send large bodies that are buffered to disk. Note that enabling this option will have an impact on system memory depending on the number of requests simultaneously in flight at any given point in time and on the maximum size of each request. Also this option blocks all requests being handled by the nginx workers. That could be tens of thousands of other transactions that are not being processed. For small I/O operations, such a delay would generally not be problematic. In cases where the body size is in the order of MB, such a delay would cause notable interruptions in request processing. Given all of the potential downsides resulting from enabling this option, consider increasing the client_body_buffer_size value instead.
-
base64_encode_body
boolean default:true
An optional value that Base64-encodes the request body.
-
aws_imds_protocol_version
string required default:v1
Must be one of:v1
,v2
Identifier to select the IMDS protocol version to use, either
v1
orv2
. Ifv2
is selected, an additional session token is requested from the EC2 metadata service by the plugin to secure the retrieval of the EC2 instance role. Note that if {{site.base_gateway}} is running inside a container on an EC2 instance, the EC2 instance metadata must be configured accordingly. Please refer to ‘Considerations’ section in the ‘Retrieve instance metadata’ section of the EC2 manual for details.
-