Before you begin: Follow the steps in Configure AWS IAM permissions to create IAM roles for Gloo Mesh Gateway service accounts to access, discover, and invoke Lambda functions.

Define AWS settings in CloudProvider

Define your AWS region, account, and IAM roles in a CloudProvider Gloo CR. The CloudProvider CR serves as a centralized location for configuration settings for each cloud provider and the resources you want to use, such as AWS and AWS Lambda functions.

  apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
  name: 
  # In multicluster setups, you must create the CloudProvider in the gloo-mesh namespace of the management cluster
  namespace: 
spec:
  # AWS cloud provider settings
  aws:
    # ID for AWS account that functions are in
    accountId: 
    # AWS region that functions are in
    region: 
    # AWS Security Token Service (AWS STS) endpoint from which to retrieve AWS credentials
    # For more info, see https://docs.aws.amazon.com/eks/latest/userguide/configure-sts-endpoint.html
    stsEndpoint: 
    # Options for function invocation
    lambda:
      # Optional: Name of the IAM role that the Gateway assumes for invocation
      invokeRoleName: 
      # Options for automatic function discovery
      discovery: 
        # Automatically discover Lambda functions (true|false)
        enabled: 
        # Optional: Name of the IAM role that the management server assumes for discovery.
        # If not specified, defaults to the IRSA specified on the management server deployment.
        roleName: 
        # Optional: Filter the discovered functions
        filter: 
          # Include only functions that match this regex name filter
          name: 
          # Discover only the latest version of each function (true|false)
          latestOnly: 
  

Invocation (lambda.invokeRoleName)

Choose how workloads in the same workspace as the CloudProvider can invoke the Lambda functions in an AWS account. For more information about each of these options, see Decide how workloads can invoke functions.

  • To assume the same IRSA that the Gloo Mesh Gateway service account uses for invocation, specify that IRSA role name in the lambda.invokeRoleName field. For example, in the getting started guide, the IRSA is named gloo-lambda-gateway-invoke.
  • To assume a specific, override IAM role that you created and that is different from the IRSA on the gateway deployment, specify that role name in the lambda.invokeRoleName field.
  • To direct workloads to use a resource-based invocation policy that you created for a Lambda function, do not specify the lambda.invokeRoleName field. Note that invoking functions by using a resource-based policy is supported only for ingress gateways that run a Solo distribution of Istio at version 1.17.3 and later.

Discovery (lambda.discovery)

You can either configure Gloo Mesh Gateway to automatically discover functions, or list the functions yourself in a separate CloudResources resource.

Automatic discovery:

  • enabled: Set to true to allow Gloo Mesh Gateway to automatically discover the Lambda functions in your AWS account and region. Gloo automatically generates a CloudResources configuration that contains entries for each function that it discovers.
  • roleName: If you prefer to use a different IAM role discovery than the default IRSA on the management server service account, specify that role name. You might use a different IAM role for Lambda discovery when you have specific guidelines for automated access. For example, your organization might require you to use DevOps IAM policies and roles to automatically discover functions in an account.
  • filter: By default, all functions are accessed. You can optionally provide a filter to match against functions. For example, if you only want Gloo Mesh Gateway to access functions with names that begin with discovered, you can specify filter.name: discovered*.

Manual list: If you prefer to select only a few functions in your AWS account and region, set lambda.discovery.enabled to false, and specify the functions in a CloudResources CR.

Define Lambda functions in CloudResources

The CloudResources CR allows you to manually specify the functions that Gloo Mesh Gateway can access and their details. Each item in the lambda list contains the name of the function in AWS (lambdaFunctionName) and the version of the function to call (qualifier).

  apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudResources
metadata:
  name: 
  # In multicluster setups, you must create CloudResources in the gloo-mesh namespace of the management cluster
  namespace: 
spec:
  # Name of the CloudProvider resource
  provider: 
  aws:
    # List of Lambda functions
    lambda:
        # Actual name of the function in AWS
      - lambdaFunctionName: 
        # Version of the function to call. Defaults to $LATEST. For more info, see https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax
        qualifier: 
  

Examples

Automatically discover functions

In this example:

  • The invoke-team-B IAM role is specified, which might provide different invocation permissions than the IRSA that you originally annotated the ingress gateway service account with.
  • Functions are automatically discovered.
    • The discovery-team-B IAM role is specified, which might provide different discovery permissions than the IRSA that you originally annotated the management server service account with.
    • The discovered functions are filtered so that only functions with names that start with team-B- are included.
    • No CloudResources file is configured. Instead, after this CloudProvider is applied, Gloo automatically creates a CloudResources configuration that contains entries for each function that it discovers.
  apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
  name: aws-provider
  namespace: gloo-mesh
spec:
  aws:
    accountId: "111122223333"
    region: us-west-2
    stsEndpoint: sts.amazonaws.com
    lambda:
      invokeRoleName: invoke-team-B
      discovery:
        enabled: true
        roleName: discovery-team-B
        filter:
          name: team-B-*
  

Manually list functions

In this example:

  • The invoke-team-A IAM role is specified, which might provide different invocation permissions than the IRSA that you originally annotated the ingress gateway service account with.
  • Functions are manually specified by name in the CloudResources CR.
  apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
  name: aws-provider
  namespace: gloo-mesh
spec:
  aws:
    accountId: "111122223333"
    region: us-west-2
    stsEndpoint: sts.amazonaws.com
    lambda:
      invokeRoleName: invoke-team-A
---
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudResources
metadata:
  name: aws-functions
  namespace: gloo-mesh
spec:
  provider: aws-provider
  aws:
    lambda:
      - lambdaFunctionName: backend-function
        qualifier: $LATEST
  

Next steps