aws-lambda

Description

The aws-lambda Plugin is used for integrating APISIX with AWS Lambda as a dynamic upstream to proxy all requests for a particular URI to the AWS Cloud.

When enabled, the Plugin terminates the ongoing request to the configured URI and initiates a new request to the AWS Lambda Gateway URI on behalf of the client with configured authorization details, request headers, body and parameters (all three passed from the original request). It returns back the response with headers, status code and the body to the client that initiated the request with APISIX.

This Plugin supports authorization via AWS API key and AWS IAM secrets.

Attributes

Name	Type	Required	Default	Valid values	Description
function_uri	string	True			AWS API Gateway endpoint which triggers the lambda serverless function.
authorization	object	False			Authorization credentials to access the cloud function.
authorization.apikey	string	False			Generated API Key to authorize requests to the AWS Gateway endpoint.
authorization.iam	object	False			Used for AWS IAM role based authorization performed via AWS v4 request signing. See IAM authorization schema.
timeout	integer	False	3000	[100,…]	Proxy request timeout in milliseconds.
ssl_verify	boolean	False	true	true/false	When set to `true` performs SSL verification.
keepalive	boolean	False	true	true/false	When set to `true` keeps the connection alive for reuse.
keepalive_pool	integer	False	5	[1,…]	Maximum number of requests that can be sent on this connection before closing it.
keepalive_timeout	integer	False	60000	[1000,…]	Time is ms for connection to remain idle without closing.

IAM Authorization Schema

Name	Type	Required	Default	Description
accesskey	string	True		Generated access key ID from AWS IAM console.
secret_key	string	True		Generated access key secret from AWS IAM console.
aws_region	string	False	“us-east-1”	AWS region where the request is being sent.
service	string	False	“execute-api”	The service that is receiving the request. For HTTP trigger, it is `“execute-api”`.

Enabling the Plugin

The example below shows how you can configure the Plugin on a specific Route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins": {
        "aws-lambda": {
            "function_uri": "https://x9w6z07gb9.execute-api.us-east-1.amazonaws.com/default/test-apisix",
            "authorization": {
                "apikey": "<Generated API Key from aws console>",
            },
            "ssl_verify":false
        }
    },
    "uri": "/aws"
}'

Now, any requests (HTTP/1.1, HTTPS, HTTP2) to the endpoint /aws will invoke the configured AWS Functions URI and the response will be proxied back to the client.

In the example below, AWS Lambda takes in name from the query and returns a message “Hello $name”:

curl -i -XGET localhost:9080/aws\?name=APISIX

HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Date: Sat, 27 Nov 2021 13:08:27 GMT
x-amz-apigw-id: JdwXuEVxIAMFtKw=
x-amzn-RequestId: 471289ab-d3b7-4819-9e1a-cb59cac611e0
Content-Length: 16
X-Amzn-Trace-Id: Root=1-61a22dca-600c552d1c05fec747fd6db0;Sampled=0
Server: APISIX/2.10.2
"Hello, APISIX!"

Another example of a request where the client communicates with APISIX via HTTP/2 is shown below (make sure you have configured enable_http2: true for a in your default configuration file (config-default.yaml). You can do this by uncommenting the port 9081 from the field apisix.node_listen):

curl -i -XGET --http2 --http2-prior-knowledge localhost:9081/aws\?name=APISIX

HTTP/2 200
content-type: application/json
content-length: 16
x-amz-apigw-id: JdwulHHrIAMFoFg=
date: Sat, 27 Nov 2021 13:10:53 GMT
x-amzn-trace-id: Root=1-61a22e5d-342eb64077dc9877644860dd;Sampled=0
x-amzn-requestid: a2c2b799-ecc6-44ec-b586-38c0e3b11fe4
server: APISIX/2.10.2
"Hello, APISIX!"

Similarly the function can be triggered via AWS API Gateway by using AWS IAM permissions for authorization. The Plugin includes authentication signatures in HTTP calls via AWS v4 request signing. The example below shows this method:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins": {
        "aws-lambda": {
            "function_uri": "https://ajycz5e0v9.execute-api.us-east-1.amazonaws.com/default/test-apisix",
            "authorization": {
                "iam": {
                    "accesskey": "<access key>",
                    "secretkey": "<access key secret>"
                }
            },
            "ssl_verify": false
        }
    },
    "uri": "/aws"
}'

note

This approach assumes that you have already an IAM user with programmatic access enabled with the required permissions (AmazonAPIGatewayInvokeFullAccess) to access the endpoint.

Configuring path forwarding

The aws-lambda Plugins also supports URL path forwarding while proxying requests to the AWS upstream. Extensions to the base request path gets appended to the function_uri specified in the Plugin configuration.

IMPORTANT

The uri configured on a Route must end with * for this feature to work properly. APISIX Routes are matched strictly and the * implies that any subpath to this URI would be matched to the same Route.

The example below configures this feature:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins": {
        "aws-lambda": {
            "function_uri": "https://x9w6z07gb9.execute-api.us-east-1.amazonaws.com",
            "authorization": {
                "apikey": "<Generate API key>"
            },
            "ssl_verify":false
        }
    },
    "uri": "/aws/*"
}'

Now, any requests to the path aws/default/test-apisix will invoke the AWS Lambda Function and the added path is forwarded:

curl -i -XGET http://127.0.0.1:9080/aws/default/test-apisix\?name\=APISIX

HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Date: Wed, 01 Dec 2021 14:23:27 GMT
X-Amzn-Trace-Id: Root=1-61a7855f-0addc03e0cf54ddc683de505;Sampled=0
x-amzn-RequestId: f5f4e197-9cdd-49f9-9b41-48f0d269885b
Content-Length: 16
x-amz-apigw-id: JrHG8GC4IAMFaGA=
Server: APISIX/2.11.0
"Hello, APISIX!"

Disable Plugin

To disable the aws-lambda Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/aws",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    }
}'