
Lambda
Use the Lambda policy to directly trigger AWS Lambda functions from API without using the Amazon API Gateway.
Gateway support
Gateway | Policy version |
---|---|
DataPower® API Gateway | 1.3.0 |
This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see Lambda.
About
The Lambda policy lets you trigger AWS Lambda functions from within an API's assembly without requiring you to use the Amazon API Gateway. When you add the policy to an API assembly, you can specify the Lambda function to invoke and provide credentials for using it. The credentials can be either an AWS IAM role, or an Access Key ID/Secret Access Key pair. You can download the lambda policy from Lambda policy fix pack.
- Configure access to the Lambda function in AWS as explained in the Setting up permissions and trust in AWS section of this topic.
- Define an API policy in API Connect using the policy properties in the Properties section of this topic.
- The Lambda policy uses VPC endpoints to ensure that the communication from the gateway to the Lambda service is over the AWS private backbone.
- For information about Lambda and instructions for using the Lambda features, see the AWS Lambda documentation.
Setting up permissions and trust in AWS
Use the instructions for the option that best suits your needs.
- Access Key ID/Secret Access Key
- Provide the AWS Access Key ID/AWS Secret Access Key pair of an account with permission to invoke
one or more Lambda functions. The permissions of this account should be as narrowly-scoped as
possible; the account should be a service account with no other permissions other than the ability
to invoke one or more Lambda functions. For more information, see the Identity-Based IAM Policies for Lambda documentation.
To use the Access Key ID/Secret Access Key authentication option, complete the following steps to use your account's IAM service and create an IAM service account with appropriate permissions to facilitate limited communication with API Connect:
- Sign in to the AWS Management Console and open the IAM console.
- On the AWS IAM console, click Users in the navigation list, and then click Add users.
- When prompted to "Set user details", provide a User name (unique within
your AWS account) and select Access key - Programmatic access.
You can select the Password - AWS Management Console access option, but it is not required for interaction with API Connect.
There are a variety of options for defining permissions for the new user account. See the AWS Identity and Access Management User Guide for information on adding the user to a user group, or attaching a policy directly to the user.
A straightforward method of defining user permissions that adheres to the least-privilege principle is to create an IAM user with no permissions, and then add that user to the permissions configuration of a specific Lambda function, as demonstrated in the following steps.
- On the "Set user details" page, click Next: Tags without making any changes to the new User account.
- Create the desired Tags and then click Next: Review.
- Review your settings and click Create user.
Ignore the warning that
This user has no permissions
because you will assign permissions in the remaining steps. - Click Download .csv to save the new user's Access key ID and Secret access key, and store them in a safe place. These values will be used as the AWS Access Key ID and AWS Secret Access Key when configuring the Lambda policy of your API in API Connect.
- Update the Lambda function to provide permissions for the new user:
- In the Lambda console, open the Functions page.
- Select the function that API Connect will invoke.
- Click Configuration.
- In the Resource-based policy statements section, click Add permissions.
- Select AWS account and add a unique Statement ID.
- Set Principal to the ARN of the new
user.
arn:aws:iam::<AWS_account_ID>:user/<username>
, available on the page. - Set the Action to
lambda:InvokeFunction
. - Click Save.
Repeat this step for every Lambda function that the user account will invoke.
Properties
The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.
Property label | Required | Description | Data type |
---|---|---|---|
Title | No | The title of the policy. The default value is lambda . |
string |
Description | No | A description of the policy. | string |
AWS Access Key ID | Yes | AWS Access keys are long-term credentials for an AWS IAM user. Required if the AWS
Assume Role ARN is not provided instead. For instructions on creating the access key pair in AWS, see Access Key ID/Secret Access Key in this topic. |
string |
AWS Secret Access Key | Yes | The secret access key that corresponds to the specified AWS Access Key ID. | string |
Function | Yes | The name or Amazon Resource Name (ARN) of the AWS Lambda function to execute, using one of
the following formats:
For more information, see |
string |
Region | Yes | The AWS region where the Lambda function is hosted. | string |
Qualifier | No | The alias or version of the Lambda function that you want to execute. For more
information, see |
string |