As you develop your Lambda strategy, you might want to adjust permissions to determine which teams in your organization can access which Lambda functions in your AWS accounts. By using Gloo multitenancy resources and AWS IAM permissions, you can control which workloads in your Gloo Mesh Gateway environment can discover and invoke specific Lambda functions.

Use CloudProvider CRs for multitenancy

Use Gloo custom resources, such as workspaces and cloud providers, to separate Lambda invocation access by team.

For example, consider Team A and Team B. Both teams have Lambda functions that are deployed to an AWS account. You want to ensure that Team A can only access its functions, and Team B can only access its functions. The following diagram shows the separation of resources according to each team.

Figure: AWS Lambda resources and Gloo custom resources for Team A and Team B multitenancyFigure: Gloo custom resources for AWS Lambda details
Figure: AWS Lambda resources and Gloo custom resources for Team A and Team B multitenancyFigure: Gloo custom resources for AWS Lambda details

To manage your teams’ access, you create the following resources.

Importing and exporting across workspaces

You can also import and export CloudProviders to other workspaces, so that other teams can invoke the Lambda functions specified by that CloudProvider. When you import a CloudProvider, the CloudResources that are attached to the provider are also implictly imported. To invoke the Lambda functions that these imported CloudResources represent, you can either create a new route table in the second workspace, or import the existing route table from the first workspace.

Keep in mind that when you export a CloudProvider, you give the importing team the permissions to invoke functions associated with the IAM role defined in the CloudProvider. For example, if Team B needs to access lambda-team-a, you can import the CloudProvider from workspace A into workspace B. If the CloudProvider defines invoke-team-a as the invocation role, Team B now has the permissions granted by the role to invoke Team A’s functions.

For example, consider Team A and Team B. Team A has Lambda functions that are deployed to an AWS account, and you want to ensure that both Team A and Team B can access Team A’s functions. The following diagram shows the separation of resources according to each team.

Figure: AWS Lambda resources and Gloo custom resources for Team A and Team B access to Team A functions

To manage your teams’ access, you create the following resources.