Provide AWS account and Lambda details
Provide the details of your AWS account, the Lambda functions to access, and IAM roles to Gloo Mesh Gateway for function invocation and discovery.
Before you begin: Follow the steps in Configure AWS IAM permissions to create IAM roles for Gloo Mesh Gateway service accounts to access, discover, and invoke Lambda functions.
Define AWS settings in CloudProvider
Define your AWS region, account, and IAM roles in a CloudProvider Gloo CR. The CloudProvider CR serves as a centralized location for configuration settings for each cloud provider and the resources you want to use, such as AWS and AWS Lambda functions.
In multicluster setups, you must create CloudProvider resources in the gloo-mesh namespace of the management cluster.
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
name:
# In multicluster setups, you must create the CloudProvider in the gloo-mesh namespace of the management cluster
namespace:
spec:
# AWS cloud provider settings
aws:
# ID for AWS account that functions are in
accountId:
# AWS region that functions are in
region:
# AWS Security Token Service (AWS STS) endpoint from which to retrieve AWS credentials
# For more info, see https://docs.aws.amazon.com/eks/latest/userguide/configure-sts-endpoint.html
stsEndpoint:
# Options for function invocation
lambda:
# Optional: Name of the IAM role that the Gateway assumes for invocation
invokeRoleName:
# Options for automatic function discovery
discovery:
# Automatically discover Lambda functions (true|false)
enabled:
# Optional: Name of the IAM role that the management server assumes for discovery.
# If not specified, defaults to the IRSA specified on the management server deployment.
roleName:
# Optional: Filter the discovered functions
filter:
# Include only functions that match this regex name filter
name:
# Discover only the latest version of each function (true|false)
latestOnly:
Invocation (lambda.invokeRoleName)
Choose how workloads in the same workspace as the CloudProvider can invoke the Lambda functions in an AWS account. For more information about each of these options, see Decide how workloads can invoke functions.
- To assume the same IRSA that the Gloo Mesh Gateway service account uses for invocation, specify that IRSA role name in the
lambda.invokeRoleNamefield. For example, in the getting started guide, the IRSA is namedgloo-lambda-gateway-invoke. - To assume a specific, override IAM role that you created and that is different from the IRSA on the gateway deployment, specify that role name in the
lambda.invokeRoleNamefield. - To direct workloads to use a resource-based invocation policy that you created for a Lambda function, do not specify the
lambda.invokeRoleNamefield. Note that invoking functions by using a resource-based policy is supported only for ingress gateways that run a Solo distribution of Istio at version 1.17.3 and later.
If functions in the same account and region must use different invocation roles, you can create one CloudProvider for each role.
Discovery (lambda.discovery)
You can either configure Gloo Mesh Gateway to automatically discover functions, or list the functions yourself in a separate CloudResources resource.
Automatic discovery:
enabled: Set totrueto allow Gloo Mesh Gateway to automatically discover the Lambda functions in your AWS account and region. Gloo automatically generates aCloudResourcesconfiguration that contains entries for each function that it discovers.roleName: If you prefer to use a different IAM role discovery than the default IRSA on the management server service account, specify that role name. You might use a different IAM role for Lambda discovery when you have specific guidelines for automated access. For example, your organization might require you to use DevOps IAM policies and roles to automatically discover functions in an account.filter: By default, all functions are accessed. You can optionally provide a filter to match against functions. For example, if you only want Gloo Mesh Gateway to access functions with names that begin withdiscovered, you can specifyfilter.name: discovered*.
Manual list: If you prefer to select only a few functions in your AWS account and region, set lambda.discovery.enabled to false, and specify the functions in a CloudResources CR.
Define Lambda functions in CloudResources
The CloudResources CR allows you to manually specify the functions that Gloo Mesh Gateway can access and their details. Each item in the lambda list contains the name of the function in AWS (lambdaFunctionName) and the version of the function to call (qualifier).
In multicluster setups, you must create CloudProvider resources in the gloo-mesh namespace of the management cluster.
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudResources
metadata:
name:
# In multicluster setups, you must create CloudResources in the gloo-mesh namespace of the management cluster
namespace:
spec:
# Name of the CloudProvider resource
provider:
aws:
# List of Lambda functions
lambda:
# Actual name of the function in AWS
- lambdaFunctionName:
# Version of the function to call. Defaults to $LATEST. For more info, see https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax
qualifier:
When discovery is enabled, Gloo automatically creates a CloudResources resource that contains entries to represent each function that it discovers. If you want to make changes to the way a particular Lambda function is represented in Gloo, do not edit the auto-generated CloudResources configuration that the function is represented in, because your changes are overwritten by Gloo. Instead, you can define function details by manually creating a new CloudResources configuration, which overrides the auto-generated configuration.
Examples
Automatically discover functions
In this example:
- The
invoke-team-BIAM role is specified, which might provide different invocation permissions than the IRSA that you originally annotated the ingress gateway service account with. - Functions are automatically discovered.
- The
discovery-team-BIAM role is specified, which might provide different discovery permissions than the IRSA that you originally annotated the management server service account with. - The discovered functions are filtered so that only functions with names that start with
team-B-are included. - No
CloudResourcesfile is configured. Instead, after thisCloudProvideris applied, Gloo automatically creates aCloudResourcesconfiguration that contains entries for each function that it discovers.
- The
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
name: aws-provider
namespace: gloo-mesh
spec:
aws:
accountId: "111122223333"
region: us-west-2
stsEndpoint: sts.amazonaws.com
lambda:
invokeRoleName: invoke-team-B
discovery:
enabled: true
roleName: discovery-team-B
filter:
name: team-B-*
Manually list functions
In this example:
- The
invoke-team-AIAM role is specified, which might provide different invocation permissions than the IRSA that you originally annotated the ingress gateway service account with. - Functions are manually specified by name in the
CloudResourcesCR.
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudProvider
metadata:
name: aws-provider
namespace: gloo-mesh
spec:
aws:
accountId: "111122223333"
region: us-west-2
stsEndpoint: sts.amazonaws.com
lambda:
invokeRoleName: invoke-team-A
---
apiVersion: infrastructure.gloo.solo.io/v2
kind: CloudResources
metadata:
name: aws-functions
namespace: gloo-mesh
spec:
provider: aws-provider
aws:
lambda:
- lambdaFunctionName: backend-function
qualifier: $LATEST
Next steps
- Define Lambda routing and apply route table filters based on Lambda function properties.
- Manage multitenancy by controlling which teams’ workloads can discover and invoke specific Lambda functions.