Access AWS Lambda with a credentials secret
Use Gloo Gateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.
Note that this guide uses a Kubernetes secret that contains long-lived IAM user access keys (prefixed AKIA), not temporary STS/SSO credentials, which can cause failures with signature errors. To use AWS IAM roles to control access instead, see Access AWS Lambda with a service account.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Create an AWS credentials secret
Create a Kubernetes secret that contains your AWS access key and secret key. You must use a long-lived IAM user access keys (prefixed AKIA), not temporary STS/SSO credentials. Gloo Gateway uses this secret to connect to AWS Lambda for authentication and function invocation.
Save the AWS account and region that your Lambda instance exists in as environment variables.
export REGION=<us-east-1> export ACCOUNT_ID=<account_id>Save your IAM user access key (prefixed
AKIA...) and secret key as environment variables. Make sure that theAWS_SESSION_TOKENis not set.export AWS_ACCESS_KEY_ID="<AKIA-access-key>" export AWS_SECRET_ACCESS_KEY="<secret-key>"If you do not have a long-lived IAM user access key pair, you can create one for your IAM user.
- AWS console:
- Navigate to IAM → Users → (your user).
- In the Security credentials tab, scroll to the Access keys panel, and click Create access key.
- Select the CLI option, and create the access key.
- Copy the output access key ID (prefixed
AKIA...) and secret access key.
awsCLI:aws iam create-access-key --user-name <iam-user-name>
- AWS console:
Verify that these credentials have the appropriate permissions to interact with AWS Lambda.
aws sts get-caller-identity --region ${REGION} aws lambda invoke --function-name echo2 --region ${REGION} /tmp/out.jsonIf either command fails, grant the IAM user Lambda invocation permissions in one of the following ways, and re-run the test commands.
- AWS console:
- Navigate to IAM → Users → (your user).
- In the Permissions tab, click Add permissions → Create inline policy.
- Toggle to the JSON editor.
- Paste the following policy to allow Lambda function invocation.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:802411188784:function:echo2" } ] }
awsCLI:aws iam put-user-policy \ --user-name <iam-user-name> \ --policy-name AllowInvokeEcho2 \ --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [ {\"Effect\": \"Allow\", \"Action\": \"lambda:InvokeFunction\", \"Resource\": \"arn:aws:lambda:${REGION}:${ACCOUNT_ID}:function:echo2\"} ] }"
- AWS console:
Create a Kubernetes secret that contains the AWS access key and secret key. Leave
sessionTokenempty for long-lived keys.kubectl apply -n gloo-system -f - << EOF apiVersion: v1 kind: Secret metadata: name: aws-creds stringData: accessKey: ${AWS_ACCESS_KEY_ID} secretKey: ${AWS_SECRET_ACCESS_KEY} sessionToken: "" type: Opaque EOF
Create a Lambda function
Create an AWS Lambda function to test Gloo Gateway routing.
Log in to the AWS console and navigate to the Lambda page.
Click the Create Function button.
Name the function
echoand click Create function.Replace the default contents of
index.mjswith the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.export const handler = async(event) => { const response = { statusCode: 200, body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}` }; return response; };Click Deploy.
Create a Backend and HTTPRoute
Create Backend and HTTPRoute resources to route requests to the Lambda function.
In your terminal, create a Backend resource that references the Lambda secret. Update the
regionwith your AWS account region, such asus-east-1, and update theaccountId.kubectl apply -f - <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: Backend metadata: name: lambda namespace: gloo-system spec: type: AWS aws: region: ${REGION} accountId: "${ACCOUNT_ID}" auth: type: Secret secretRef: name: aws-creds lambda: functionName: echo EOFCreate an HTTPRoute resource that references the
lambdaBackend.kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: lambda namespace: gloo-system spec: parentRefs: - name: http namespace: gloo-system rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: lambda namespace: gloo-system group: gateway.kgateway.dev kind: Backend EOFConfirm that Gloo Gateway correctly routes requests to Lambda by sending a curl request to the
echofunction.Example response:
{"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%
At this point, Gloo Gateway is routing directly to the echo Lambda function!
Cleanup
You can remove the resources that you created in this guide.
Delete the
lambdaHTTPRoute andlambdaBackend.kubectl delete HTTPRoute lambda -n gloo-system kubectl delete Backend lambda -n gloo-systemDelete the
aws-credssecret.kubectl delete secret aws-creds -n gloo-systemUse the AWS Lambda console to delete the
echotest function.