Access AWS Lambda with a credentials secret
Use Gloo Gateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.
Note that this guide uses a Kubernetes secret that contains your AWS access key and secret key to invoke Lambda functions. To use AWS IAM roles to control access instead, see Access AWS Lambda with a service account.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Create an AWS credentials secret
Create a Kubernetes secret that contains your AWS access key and secret key. Gloo Gateway uses this secret to connect to AWS Lambda for authentication and function invocation.
Get the access key and secret key for your AWS account. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.
Create a Kubernetes secret that contains the AWS access key and secret key.
kubectl apply -n gloo-system -f - << EOF apiVersion: v1 kind: Secret metadata: name: aws-creds stringData: accessKey: ${AWS_ACCESS_KEY_ID} secretKey: ${AWS_SECRET_ACCESS_KEY} sessionToken: "" type: Opaque EOF
Create a Lambda function
Create an AWS Lambda function to test Gloo Gateway routing.
Log in to the AWS console and navigate to the Lambda page.
Click the Create Function button.
Name the function
echoand click Create function.Replace the default contents of
index.mjswith the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.export const handler = async(event) => { const response = { statusCode: 200, body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}` }; return response; };Click Deploy.
Create a Backend and HTTPRoute
Create Backend and HTTPRoute resources to route requests to the Lambda function.
In your terminal, create a Backend resource that references the Lambda secret. Update the
regionwith your AWS account region, such asus-east-1, and update theaccountId.kubectl apply -f - <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: Backend metadata: name: lambda namespace: gloo-system spec: type: AWS aws: region: <region> accountId: "<account-id>" auth: type: Secret secretRef: name: aws-creds lambda: functionName: echo EOFCreate an HTTPRoute resource that references the
lambdaBackend.kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: lambda namespace: gloo-system spec: parentRefs: - name: http namespace: gloo-system rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: lambda namespace: gloo-system group: gateway.kgateway.dev kind: Backend EOFConfirm that Gloo Gateway correctly routes requests to Lambda by sending a curl request to the
echofunction.Example response:
{"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%
At this point, Gloo Gateway is routing directly to the echo Lambda function!
Cleanup
You can remove the resources that you created in this guide.
Delete the
lambdaHTTPRoute andlambdaBackend.kubectl delete HTTPRoute lambda -n gloo-system kubectl delete Backend lambda -n gloo-systemDelete the
aws-credssecret.kubectl delete secret aws-creds -n gloo-systemUse the AWS Lambda console to delete the
echotest function.