DataPower API Gateway
only

Lambda

Use the Lambda policy to directly trigger AWS Lambda functions from API without using the Amazon API Gateway.

Gateway support

Table 1. Table showing which gateways support this policy, and the corresponding policy version
Gateway Policy version
DataPower® API Gateway 1.3.0

This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see Lambda.

About

The Lambda policy lets you trigger AWS Lambda functions from within an API's assembly without requiring you to use the Amazon API Gateway. When you add the policy to an API assembly, you can specify the Lambda function to invoke and provide credentials for using it. The credentials can be either an AWS IAM role, or an Access Key ID/Secret Access Key pair. You can download the lambda policy from Lambda policy fix pack.

To enable API Connect to invoke a Lambda function, complete the following tasks:
  1. Configure access to the Lambda function in AWS as explained in the Setting up permissions and trust in AWS section of this topic.
  2. Define an API policy in API Connect using the policy properties in the Properties section of this topic.
Note:
  • The Lambda policy uses VPC endpoints to ensure that the communication from the gateway to the Lambda service is over the AWS private backbone.
  • For information about Lambda and instructions for using the Lambda features, see the AWS Lambda documentation.

Setting up permissions and trust in AWS

To use a Lambda policy, you must set up a role in your AWS account, specifying a permissions policy and a trust relationship, so that API Connect can invoke the AWS Lambda function. There is one authentication option when using the AWS Lambda policy:

Use the instructions for the option that best suits your needs.

Access Key ID/Secret Access Key
Provide the AWS Access Key ID/AWS Secret Access Key pair of an account with permission to invoke one or more Lambda functions. The permissions of this account should be as narrowly-scoped as possible; the account should be a service account with no other permissions other than the ability to invoke one or more Lambda functions. For more information, see the Identity-Based IAM Policies for Lambda documentation.

To use the Access Key ID/Secret Access Key authentication option, complete the following steps to use your account's IAM service and create an IAM service account with appropriate permissions to facilitate limited communication with API Connect:

  1. Sign in to the AWS Management Console and open the IAM console.
  2. On the AWS IAM console, click Users in the navigation list, and then click Add users.
  3. When prompted to "Set user details", provide a User name (unique within your AWS account) and select Access key - Programmatic access.

    You can select the Password - AWS Management Console access option, but it is not required for interaction with API Connect.

    There are a variety of options for defining permissions for the new user account. See the AWS Identity and Access Management User Guide for information on adding the user to a user group, or attaching a policy directly to the user.

    A straightforward method of defining user permissions that adheres to the least-privilege principle is to create an IAM user with no permissions, and then add that user to the permissions configuration of a specific Lambda function, as demonstrated in the following steps.

  4. On the "Set user details" page, click Next: Tags without making any changes to the new User account.
  5. Create the desired Tags and then click Next: Review.
  6. Review your settings and click Create user.

    Ignore the warning that This user has no permissions because you will assign permissions in the remaining steps.

  7. Click Download .csv to save the new user's Access key ID and Secret access key, and store them in a safe place. These values will be used as the AWS Access Key ID and AWS Secret Access Key when configuring the Lambda policy of your API in API Connect.
  8. Update the Lambda function to provide permissions for the new user:
    1. In the Lambda console, open the Functions page.
    2. Select the function that API Connect will invoke.
    3. Click Configuration.
    4. In the Resource-based policy statements section, click Add permissions.
    5. Select AWS account and add a unique Statement ID.
    6. Set Principal to the ARN of the new user.

      arn:aws:iam::<AWS_account_ID>:user/<username>, available on the Users > <username> page.

    7. Set the Action to lambda:InvokeFunction.
    8. Click Save.

    Repeat this step for every Lambda function that the user account will invoke.

Properties

The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.

Table 2. Rate Limit policy properties
Property label Required Description Data type
Title No The title of the policy. The default value is lambda. string
Description No A description of the policy. string
AWS Access Key ID Yes AWS Access keys are long-term credentials for an AWS IAM user. Required if the AWS Assume Role ARN is not provided instead.

For instructions on creating the access key pair in AWS, see Access Key ID/Secret Access Key in this topic.

string
AWS Secret Access Key Yes The secret access key that corresponds to the specified AWS Access Key ID. string
Function Yes The name or Amazon Resource Name (ARN) of the AWS Lambda function to execute, using one of the following formats:
  • Function name; for example: my-function
  • Function ARN; for example: arn:aws:lambda:us-east-a:123456789012:function:my-function
  • Partial ARN – 123456789012:function:my-function

For more information, see FunctionName in the AWS Lambda Developer Guide.

string
Region Yes The AWS region where the Lambda function is hosted. string
Qualifier No The alias or version of the Lambda function that you want to execute.

For more information, see Qualifier in the AWS Lambda Developer Guide.

string