AWS Lambda function URL with example

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

Today we will discuss what is AWS Lambda Function URL and how to create an AWS Lambda Function URL with example.

What is Lambda function URL?

A function URL is a dedicated HTTP(S) endpoint for your Lambda function. You can create and configure a function URL through the Lambda console or the Lambda API. When you create a function URL, Lambda automatically generates a unique URL endpoint for you. Function URL endpoints have the following format:

https://<url-id>.lambda-url.<region>.on.aws

Lambda generates the <url-id> portion of the endpoint based on a number of factors, including your AWS account ID. Because this process is deterministic, it may be possible for anyone to retrieve your account ID from the <url-id>.

Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After you configure a function URL for your function, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. Lambda function URLs use resource-based policies for security and access control. Function URLs also support cross-origin resource sharing (CORS) configuration options.

You can apply function URLs to any function alias, or to the $LATEST unpublished function version. You can’t add a function URL to any other function version.

Lambda Function URL security:

You can control access to your Lambda function URLs using the AuthType parameter combined with resource-based policies attached to your specific function. The configuration of these two components determines who can invoke or perform other administrative actions on your function URL.

The AuthType parameter determines how Lambda authenticates or authorizes requests to your function URL. When you configure your function URL, you must specify one of the following AuthType options:

AWS_IAM: Lambda uses AWS Identity and Access Management (IAM) to authenticate and authorize requests based on the IAM principal’s identity policy and the function’s resource-based policy. Choose this option if you want only authenticated IAM users and roles to invoke your function via the function URL.

NONE: Lambda doesn’t perform any authentication before invoking your function. However, your function’s resource-based policy is always in effect and must grant public access before your function URL can receive requests. Choose this option to allow public, unauthenticated access to your function URL.

In addition to AuthType, you can also use resource-based policies to grant permissions to other AWS accounts to invoke your function.

Next, we will create a lambda function with URL.

How to create an AWS Lambda function URL?

Prerequisites:

AWS CLI installed and configured.

Step 1: Create a file containing the lambda function code.

## Create your lambda function code
cat << EOF > index.js
exports.handler = async (event) => {
    let body = JSON.parse(event.body)
    const response = {
        statusCode: 200,
        body: "Hello " + body.name + ", Welcome to cloudaffaire",
    };
    return response;
};
EOF

## Create your lambda function code

cat << EOF > index.js

exports.handler = async (event) => {

let body = JSON.parse(event.body)

const response = {

statusCode: 200,

body: "Hello " + body.name + ", Welcome to cloudaffaire",

};

return response;

};

EOF

Step 2: Zip the lambda function file.

## Create a zip file from index.js
zip function.zip index.js

1 2	## Create a zip file from index.js zip function.zip index.js

Step 3: Create a trust policy definition file for the lambda IAM role.

## Create a trust policy definition for lambda to assume the IAM role
cat << EOF > assume_policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF

## Create a trust policy definition for lambda to assume the IAM role

cat << EOF > assume_policy.json

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": "lambda.amazonaws.com"

"Action": "sts:AssumeRole"

}

]

}

EOF

Step 4: Create an IAM role that will be assumed by the lambda function.

## Create an IAM role that lambda can assume
aws iam create-role \
--role-name lambda-iam-role \
--assume-role-policy-document file://assume_policy.json

## Create an IAM role that lambda can assume

aws iam create-role \

--role-name lambda-iam-role \

--assume-role-policy-document file://assume_policy.json

Step 5: Create an IAM policy definition file for the lambda IAM role.

## Get aws account ID
AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) &&
echo $AWS_ACCOUNT_ID &&
ARN="arn:aws:logs:ap-south-1:"$AWS_ACCOUNT_ID":log-group:/aws/lambda/hello:*"

## Create a policy for the lambda IAM role
cat << EOF > lambda_policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:ap-south-1:$AWS_ACCOUNT_ID:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "$ARN"
            ]
        }
    ]
}
EOF

## Get aws account ID

AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) &&

echo $AWS_ACCOUNT_ID &&

ARN="arn:aws:logs:ap-south-1:"$AWS_ACCOUNT_ID":log-group:/aws/lambda/hello:*"

## Create a policy for the lambda IAM role

cat << EOF > lambda_policy.json

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "logs:CreateLogGroup",

"Resource": "arn:aws:logs:ap-south-1:$AWS_ACCOUNT_ID:*"

{

"Effect": "Allow",

"Action": [

"logs:CreateLogStream",

"logs:PutLogEvents"

"Resource": [

"$ARN"

]

}

]

}

EOF

Step 6: Create an IAM policy for the lambda role.

## Create an IAM policy
aws iam create-policy \
--policy-name lambda-iam-policy \
--policy-document file://lambda_policy.json

## Create an IAM policy

aws iam create-policy \

--policy-name lambda-iam-policy \

--policy-document file://lambda_policy.json

Step 7: Attach the IAM policy to the lambda IAM role.

## Attach to the IAM lambda role
aws iam attach-role-policy \
--policy-arn arn:aws:iam::"$AWS_ACCOUNT_ID":policy/lambda-iam-policy \
--role-name lambda-iam-role

## Attach to the IAM lambda role

aws iam attach-role-policy \

--policy-arn arn:aws:iam::"$AWS_ACCOUNT_ID":policy/lambda-iam-policy \

--role-name lambda-iam-role

Step 8: Create the lambda function.

## Create the lambda function
aws lambda create-function \
--function-name hello \
--runtime nodejs14.x \
--zip-file fileb://function.zip \
--handler index.handler \
--role arn:aws:iam::"$AWS_ACCOUNT_ID":role/lambda-iam-role

## Create the lambda function

aws lambda create-function \

--function-name hello \

--runtime nodejs14.x \

--zip-file fileb://function.zip \

--handler index.handler \

--role arn:aws:iam::"$AWS_ACCOUNT_ID":role/lambda-iam-role

Step 9: Create the Lambda function URL using AWS CLI.

## Create lambda function URL using AWS CLI
aws lambda create-function-url-config \
--function-name hello \
--auth-type NONE

## Create lambda function URL using AWS CLI

aws lambda create-function-url-config \

--function-name hello \

--auth-type NONE

Note: If you get an error, you need to update your AWS CLI version.

Warning: We have defined “auth-type” as “NONE”, which allows anyone (public) who knows the endpoint URL to trigger the lambda function using the endpoint. Hence do not share the URL with anyone or set up monitoring on the lambda execution.

Step 10: Get the lambda function URL endpoint.

## Get lambda function URL
URL=$(aws lambda get-function-url-config \
--function-name hello | jq -r .FunctionUrl)

## Get lambda function URL

URL=$(aws lambda get-function-url-config \

--function-name hello | jq -r .FunctionUrl)

We have successfully created the AWS Lambda URL public endpoint.

AWS Lambda function URL with example

Next, let us test the endpoint and check if the lambda function gets executed and returns the expected data.

Step 11: Test lambda function URL public endpoint.

## Test your lambda function
curl --silent \
--request POST \
--header 'Content-Type: application/json' \
--data '{"name": "Debjeet"}' \
$URL

## Should return
## Hello Debjeet, Welcome to cloudaffaire

## Test your lambda function

curl --silent \

--request POST \

--header 'Content-Type: application/json' \

--data '{"name": "Debjeet"}' \

$URL

## Should return

## Hello Debjeet, Welcome to cloudaffaire

Step 12: Clean up.

## Clean up
## Delete the lambda function
aws lambda delete-function \
--function-name hello

## Detach the IAM role policy
aws iam detach-role-policy \
--role-name lambda-iam-role \
--policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy

## Delete the IAM role
aws iam delete-role \
--role-name lambda-iam-role

## Delete the IAM policy
aws iam delete-policy \
--policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy

## Clean up

## Delete the lambda function

aws lambda delete-function \

--function-name hello

## Detach the IAM role policy

aws iam detach-role-policy \

--role-name lambda-iam-role \

--policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy

## Delete the IAM role

aws iam delete-role \

--role-name lambda-iam-role

## Delete the IAM policy

aws iam delete-policy \

--policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy

Hope you have enjoyed this article. To get more details in AWS Lambda, please refer to the below documentation.

https://docs.aws.amazon.com/lambda/index.html