AWS Lambda (proto)

This extension has the qualified name envoy.filters.http.aws_lambda

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension categories:

This extension must be configured with one of the following type URLs:

type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.PerRouteConfig

AWS Lambda configuration overview.

extensions.filters.http.aws_lambda.v3.Config

[extensions.filters.http.aws_lambda.v3.Config proto]

AWS Lambda filter config

{
  "arn": ...,
  "payload_passthrough": ...,
  "invocation_mode": ...,
  "host_rewrite": ...,
  "credentials_profile": ...,
  "credentials": {...}
}

arn: (string, REQUIRED) The ARN of the AWS Lambda to invoke when the filter is engaged Must be in the following format: arn:<partition>:lambda:<region>:<account-number>:function:<function-name>

payload_passthrough: (bool) Whether to transform the request (headers and body) to a JSON payload or pass it as is.

invocation_mode: (extensions.filters.http.aws_lambda.v3.Config.InvocationMode) Determines the way to invoke the Lambda function.

host_rewrite

(string) Indicates that before signing headers, the host header will be swapped with this value. If not set or empty, the original host header value will be used and no rewrite will happen.

Note: this rewrite affects both signing and host header forwarding. However, this option shouldn’t be used with HCM host rewrite given that the value set here would be used for signing whereas the value set in the HCM would be used for host header forwarding which is not the desired outcome. Changing the value of the host header can result in a different route to be selected if an HTTP filter after AWS lambda re-evaluates the route (clears route cache).

credentials_profile: (string) Specifies the credentials profile to be used from the AWS credentials file. This parameter is optional. If set, it will override the value set in the AWS_PROFILE env variable and the provider chain is limited to the AWS credentials file Provider. If credentials configuration is provided, this configuration will be ignored. If this field is provided, then the default providers chain specified in the documentation will be ignored. (See default credentials providers).

credentials: (extensions.filters.http.aws_lambda.v3.Credentials) Specifies the credentials to be used. This parameter is optional and if it is set, it will override other providers and will take precedence over credentials_profile. The provider chain is limited to the configuration credentials provider. If this field is provided, then the default providers chain specified in the documentation will be ignored. (See default credentials providers).

Warning

Distributing the AWS credentials via this configuration should not be done in production.

Enum extensions.filters.http.aws_lambda.v3.Config.InvocationMode

[extensions.filters.http.aws_lambda.v3.Config.InvocationMode proto]

SYNCHRONOUS: (DEFAULT) ⁣This is the more common mode of invocation, in which Lambda responds after it has completed the function. In this mode the output of the Lambda function becomes the response of the HTTP request.

ASYNCHRONOUS: ⁣In this mode Lambda responds immediately but continues to process the function asynchronously. This mode can be used to signal events for example. In this mode, Lambda responds with an acknowledgment that it received the call which is translated to an HTTP 200 OK by the filter.

extensions.filters.http.aws_lambda.v3.Credentials

[extensions.filters.http.aws_lambda.v3.Credentials proto]

AWS Lambda Credentials config.

{
  "access_key_id": ...,
  "secret_access_key": ...,
  "session_token": ...
}

access_key_id: (string, REQUIRED) AWS access key id.

secret_access_key: (string, REQUIRED) AWS secret access key.

session_token: (string) AWS session token. This parameter is optional. If it is set to empty string it will not be consider in the request. It is required if temporary security credentials retrieved directly from AWS STS operations are used.

extensions.filters.http.aws_lambda.v3.PerRouteConfig

[extensions.filters.http.aws_lambda.v3.PerRouteConfig proto]

Per-route configuration for AWS Lambda. This can be useful when invoking a different Lambda function or a different version of the same Lambda depending on the route.

{
  "invoke_config": {...}
}

invoke_config: (extensions.filters.http.aws_lambda.v3.Config)