Package: envoy.config.filter.http.aws_lambda.v2


Source File:


AWS Lambda contains the configuration necessary to perform transform regular http calls to AWS Lambda invocations.

"name": string
"qualifier": string
"async": bool
"emptyBodyOverride": .google.protobuf.StringValue

Field Type Description
name string The name of the function.
qualifier string The qualifier of the function (defaults to $LATEST if not specified).
async bool Invocation type - async or regular.
emptyBodyOverride .google.protobuf.StringValue Optional default body if the body is empty. By default on default body is used if the body empty, and an empty body will be sent upstream.


"host": string
"region": string
"accessKey": string
"secretKey": string
"sessionToken": string
"roleArn": string

Field Type Description
host string The host header for AWS this cluster.
region string The region for this cluster.
accessKey string The access_key for AWS this cluster.
secretKey string The secret_key for AWS this cluster.
sessionToken string The session_token for AWS this cluster.
roleArn string The role_arn to use when generating credentials for the mounted projected SA token.


"useDefaultCredentials": .google.protobuf.BoolValue
"serviceAccountCredentials": .envoy.config.filter.http.aws_lambda.v2.AWSLambdaConfig.ServiceAccountCredentials

Field Type Description
useDefaultCredentials .google.protobuf.BoolValue Use AWS default credentials chain to get credentials. This will search environment variables, ECS metadata and instance metadata to get the credentials. credentials will be rotated automatically. If credentials are provided on the cluster (using the AWSLambdaProtocolExtension), it will override these credentials. This defaults to false, but may change in the future to true. Only one of useDefaultCredentials or serviceAccountCredentials can be set.
serviceAccountCredentials .envoy.config.filter.http.aws_lambda.v2.AWSLambdaConfig.ServiceAccountCredentials Use projected service account token, and role arn to create temporary credentials with which to authenticate lambda requests. This functionality is meant to work along side EKS service account to IAM binding functionality as outlined here: If the following environment values are not present, this option cannot be used. 1. AWS_WEB_IDENTITY_TOKEN_FILE 2. AWS_ROLE_ARN If they are not specified envoy will NACK the config update, which will show up in the logs when running OS Gloo. When running Gloo enterprise it will be reflected in the prometheus stat: “” The role arn may also be specified in the AWSLambdaProtocolExtension on the cluster level, to override the environment variable. Only one of serviceAccountCredentials or useDefaultCredentials can be set.


In order to specify the aws sts endpoint, both the cluster and uri must be set. This is due to an envoy limitation which cannot infer the host or path from the cluster, and therefore must be explicitly specified via the uri

"cluster": string
"uri": string
"timeout": .google.protobuf.Duration

Field Type Description
cluster string The name of the envoy cluster which represents the desired aws sts endpoint.
uri string The full uri of the aws sts endpoint.
timeout .google.protobuf.Duration timeout for the request.