AWS Lambda function URL with example
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
Today we will discuss what is AWS Lambda Function URL and how to create an AWS Lambda Function URL with example.
What is Lambda function URL?
A function URL is a dedicated HTTP(S) endpoint for your Lambda function. You can create and configure a function URL through the Lambda console or the Lambda API. When you create a function URL, Lambda automatically generates a unique URL endpoint for you. Function URL endpoints have the following format:
https://<url-id>.lambda-url.<region>.on.aws
Lambda generates the <url-id> portion of the endpoint based on a number of factors, including your AWS account ID. Because this process is deterministic, it may be possible for anyone to retrieve your account ID from the <url-id>.
Function URLs are dual stack-enabled, supporting IPv4 and IPv6. After you configure a function URL for your function, you can invoke your function through its HTTP(S) endpoint via a web browser, curl, Postman, or any HTTP client. Lambda function URLs use resource-based policies for security and access control. Function URLs also support cross-origin resource sharing (CORS) configuration options.
You can apply function URLs to any function alias, or to the $LATEST unpublished function version. You can’t add a function URL to any other function version.
Lambda Function URL security:
You can control access to your Lambda function URLs using the AuthType parameter combined with resource-based policies attached to your specific function. The configuration of these two components determines who can invoke or perform other administrative actions on your function URL.
The AuthType parameter determines how Lambda authenticates or authorizes requests to your function URL. When you configure your function URL, you must specify one of the following AuthType options:
AWS_IAM: Lambda uses AWS Identity and Access Management (IAM) to authenticate and authorize requests based on the IAM principal’s identity policy and the function’s resource-based policy. Choose this option if you want only authenticated IAM users and roles to invoke your function via the function URL.
NONE: Lambda doesn’t perform any authentication before invoking your function. However, your function’s resource-based policy is always in effect and must grant public access before your function URL can receive requests. Choose this option to allow public, unauthenticated access to your function URL.
In addition to AuthType, you can also use resource-based policies to grant permissions to other AWS accounts to invoke your function.
Next, we will create a lambda function with URL.
How to create an AWS Lambda function URL?
Prerequisites:
AWS CLI installed and configured.
Step 1: Create a file containing the lambda function code.
1 2 3 4 5 6 7 8 9 10 11 |
## Create your lambda function code cat << EOF > index.js exports.handler = async (event) => { let body = JSON.parse(event.body) const response = { statusCode: 200, body: "Hello " + body.name + ", Welcome to cloudaffaire", }; return response; }; EOF |
Step 2: Zip the lambda function file.
1 2 |
## Create a zip file from index.js zip function.zip index.js |
Step 3: Create a trust policy definition file for the lambda IAM role.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Create a trust policy definition for lambda to assume the IAM role cat << EOF > assume_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF |
Step 4: Create an IAM role that will be assumed by the lambda function.
1 2 3 4 |
## Create an IAM role that lambda can assume aws iam create-role \ --role-name lambda-iam-role \ --assume-role-policy-document file://assume_policy.json |
Step 5: Create an IAM policy definition file for the lambda IAM role.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
## Get aws account ID AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && echo $AWS_ACCOUNT_ID && ARN="arn:aws:logs:ap-south-1:"$AWS_ACCOUNT_ID":log-group:/aws/lambda/hello:*" ## Create a policy for the lambda IAM role cat << EOF > lambda_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:ap-south-1:$AWS_ACCOUNT_ID:*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "$ARN" ] } ] } EOF |
Step 6: Create an IAM policy for the lambda role.
1 2 3 4 |
## Create an IAM policy aws iam create-policy \ --policy-name lambda-iam-policy \ --policy-document file://lambda_policy.json |
Step 7: Attach the IAM policy to the lambda IAM role.
1 2 3 4 |
## Attach to the IAM lambda role aws iam attach-role-policy \ --policy-arn arn:aws:iam::"$AWS_ACCOUNT_ID":policy/lambda-iam-policy \ --role-name lambda-iam-role |
Step 8: Create the lambda function.
1 2 3 4 5 6 7 |
## Create the lambda function aws lambda create-function \ --function-name hello \ --runtime nodejs14.x \ --zip-file fileb://function.zip \ --handler index.handler \ --role arn:aws:iam::"$AWS_ACCOUNT_ID":role/lambda-iam-role |
Step 9: Create the Lambda function URL using AWS CLI.
1 2 3 4 |
## Create lambda function URL using AWS CLI aws lambda create-function-url-config \ --function-name hello \ --auth-type NONE |
Note: If you get an error, you need to update your AWS CLI version.
Warning: We have defined “auth-type” as “NONE”, which allows anyone (public) who knows the endpoint URL to trigger the lambda function using the endpoint. Hence do not share the URL with anyone or set up monitoring on the lambda execution.
Step 10: Get the lambda function URL endpoint.
1 2 3 |
## Get lambda function URL URL=$(aws lambda get-function-url-config \ --function-name hello | jq -r .FunctionUrl) |
We have successfully created the AWS Lambda URL public endpoint.
Next, let us test the endpoint and check if the lambda function gets executed and returns the expected data.
Step 11: Test lambda function URL public endpoint.
1 2 3 4 5 6 7 8 9 |
## Test your lambda function curl --silent \ --request POST \ --header 'Content-Type: application/json' \ --data '{"name": "Debjeet"}' \ $URL ## Should return ## Hello Debjeet, Welcome to cloudaffaire |
Step 12: Clean up.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
## Clean up ## Delete the lambda function aws lambda delete-function \ --function-name hello ## Detach the IAM role policy aws iam detach-role-policy \ --role-name lambda-iam-role \ --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy ## Delete the IAM role aws iam delete-role \ --role-name lambda-iam-role ## Delete the IAM policy aws iam delete-policy \ --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/lambda-iam-policy |
Hope you have enjoyed this article. To get more details in AWS Lambda, please refer to the below documentation.
https://docs.aws.amazon.com/lambda/index.html
Great!! it would be great a new example using IAM security. Thanks!!