This plugin lets you invoke an AWS Lambda function from Kong Gateway. The AWS Lambda plugin can be used in combination with other request plugins to secure, manage, or extend the function.
Any form parameter sent along with the request is also sent as an argument to the AWS Lambda function.
The AWS Lambda plugin will automatically fetch the IAM role credential according to the following precedence order:
config.aws_key and config.aws_secret parameters in the plugin configuration.By default, cURL sends payloads with an
application/x-www-form-urlencodedMIME type, which will naturally be URL-decoded by Kong Gateway. To ensure special characters that are likely to appear in your AWS key or secret (like+) are correctly decoded, you must URL-encode them with--data-urlencode. Alternatives to this approach would be to send your payload with a different MIME type (likeapplication/json), or to use a different HTTP client.
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE.Note: IAM Identity Center credential provider and Process credential provider are not supported.
If you also specify the config.aws_assume_role_arn parameter, the plugin will try to perform
an additional AssumeRole
action. This requires the Kong Gateway process to make an HTTPS request to the AWS STS service API after
configuring the AWS access key/secret or fetching credentials automatically from EC2/ECS/EKS IAM roles.
If it succeeds, the plugin will fetch temporary security credentials that give the plugin the access permission configured in the target assumed role. The plugin will then try to invoke the Lambda function based on the target assumed role.
If the config.aws_region parameter isn’t specified, the plugin attempts to get the
AWS region through the environment variables AWS_REGION and AWS_DEFAULT_REGION,
in that order. If none of these are set, a runtime error no region or host specified
will be thrown.