AWS Lambda
- This filter should be configured with the type URL - type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config.
Attention
The AWS Lambda filter is currently under active development.
The HTTP AWS Lambda filter is used to trigger an AWS Lambda function from a standard HTTP request. It supports a few options to control whether to pass through the HTTP request payload as is or to wrap it in a JSON schema.
If payload_passthrough is set to
true, then the payload is sent to Lambda without any transformations.
Note: This means you lose access to all the HTTP headers in the Lambda function.
However, if payload_passthrough
is set to false, then the HTTP request is transformed to a JSON payload with the following schema:
 {
     "raw_path": "/path/to/resource",
     "method": "GET|POST|HEAD|...",
     "headers": {"header-key": "header-value", ... },
     "query_string_parameters": {"key": "value", ...},
     "body": "...",
     "is_base64_encoded": true|false
 }
- raw_pathis the HTTP request resource path (including the query string)
- methodis the HTTP request method. For example- GET,- PUT, etc.
- headersare the HTTP request headers. If multiple headers share the same name, their values are coalesced into a single comma-separated value.
- query_string_parametersare the HTTP request query string parameters. If multiple parameters share the same name, the last one wins. That is, parameters are not coalesced into a single value if they share the same key name.
- bodythe body of the HTTP request is base64-encoded by the filter if the- content-typeheader exists and is not one of the following:- text/* 
- application/json 
- application/xml 
- application/javascript 
 
Otherwise, the body of HTTP request is added to the JSON payload as is.
On the other end, the response of the Lambda function must conform to the following schema:
 {
     "status_code": ...
     "headers": {"header-key": "header-value", ... },
     "cookies": ["key1=value1; HttpOnly; ...", "key2=value2; Secure; ...", ...],
     "body": "...",
     "is_base64_encoded": true|false
 }
- The - status_codefield is an integer used as the HTTP response code. If this key is missing, Envoy returns a- 200 OK.
- The - headersare used as the HTTP response headers.
- The - cookiesare used as- Set-Cookieresponse headers. Unlike the request headers, cookies are _not_ part of the response headers because the- Set-Cookieheader cannot contain more than one value per the RFC. Therefore, each key/value pair in this JSON array will translate to a single- Set-Cookieheader.
- The - bodyis base64-decoded if it is marked as base64-encoded and sent as the body of the HTTP response.
Note
The target cluster must have its endpoint set to the regional Lambda endpoint. Use the same region as the Lambda function.
AWS IAM credentials must be defined in either environment variables, EC2 metadata or ECS task metadata.
The filter supports per-filter configuration.
If you use the per-filter configuration, the target cluster must have the following metadata:
44    metadata:
45      filter_metadata:
46        com.amazonaws.lambda:
47          egress_gateway: true
If you use the upstream filter configuration, this metadata is not required.
Below are some examples that show how the filter can be used in different deployment scenarios.
Example configuration
In this configuration, the filter applies to all routes in the filter chain of the http connection manager:
25          http_filters:
26          - name: envoy.filters.http.aws_lambda
27            typed_config:
28              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
29              arn: "arn:aws:lambda:us-west-2:987654321:function:hello_envoy"
30              payload_passthrough: true
The corresponding regional endpoint must be specified in the target cluster. So, for example if the Lambda function is in us-west-2:
35  clusters:
36  - name: lambda_egress_gateway
37    type: LOGICAL_DNS
38    dns_lookup_family: V4_ONLY
39    lb_policy: ROUND_ROBIN
40    load_assignment:
41      cluster_name: lambda_egress_gateway
42      endpoints:
43      - lb_endpoints:
44        - endpoint:
45            address:
46              socket_address:
47                address: lambda.us-west-2.amazonaws.com
48                port_value: 443
49    transport_socket:
50      name: envoy.transport_sockets.tls
51      typed_config:
52        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
53        sni: "*.amazonaws.com"
The filter can also be configured per virtual-host, route or weighted-cluster. In that case, the target cluster must have specific Lambda metadata and target cluster’s endpoint should point to a region where the Lambda function is present.
24                  weighted_clusters:
25                    clusters:
26                    - name: lambda_egress_gateway
27                      weight: 42
28                      typed_per_filter_config:
29                        envoy.filters.http.aws_lambda:
30                          "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.PerRouteConfig
31                          invoke_config:
32                            arn: "arn:aws:lambda:us-west-1:987654321:function:hello_envoy"
33                            payload_passthrough: false
An example with the Lambda metadata applied to a weighted-cluster:
39  clusters:
40  - name: lambda_egress_gateway
41    type: LOGICAL_DNS
42    dns_lookup_family: V4_ONLY
43    lb_policy: ROUND_ROBIN
44    metadata:
45      filter_metadata:
46        com.amazonaws.lambda:
47          egress_gateway: true
48    load_assignment:
49      cluster_name: lambda_egress_gateway
50      endpoints:
51      - lb_endpoints:
52        - endpoint:
53            address:
54              socket_address:
55                address: lambda.us-west-2.amazonaws.com
56                port_value: 443
57    transport_socket:
58      name: envoy.transport_sockets.tls
59      typed_config:
60        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
61        sni: "*.amazonaws.com"
Configuration as an upstream HTTP filter
SigV4 or SigV4A request signatures are calculated using the HTTP host, URL and payload as input. Depending on the configuration, Envoy may modify one or more of these prior to forwarding to the Cluster subsystem, but after the signature has been calculated and inserted into the HTTP headers. Modifying fields in a SigV4 or SigV4A signed request will result in an invalid signature.
To avoid invalid signatures, the AWS Request Signing Filter can be configured as an upstream HTTP filter. This allows signatures to be calculated as a final step before the HTTP request is forwarded upstream, ensuring signatures are correctly calculated over the updated HTTP fields.
Configuring this filter as an upstream HTTP filter is done in a similar way to the downstream case, but using the http_filters filter chain within the cluster configuration.
26  clusters:
27  - name: default_service
28    load_assignment:
29      cluster_name: default_service
30      endpoints:
31      - lb_endpoints:
32        - endpoint:
33            address:
34              socket_address:
35                address: 127.0.0.1
36                port_value: 10001
37    typed_extension_protocol_options:
38      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
39        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
40        upstream_http_protocol_options:
41          auto_sni: true
42          auto_san_validation: true
43        auto_config:
44          http2_protocol_options: {}
45        http_filters:
46        - name: envoy.filters.http.aws_lambda
47          typed_config:
48            "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
49            arn: "arn:aws:lambda:us-west-2:987654321:function:hello_envoy"
50            payload_passthrough: false
Credentials
The filter uses a number of different credentials providers to obtain an AWS access key ID, AWS secret access key, and AWS session token. By default, it moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a secret access key (the session token is optional).
- inline_credentials field. If this field is configured, no other credentials providers will be used. 
- credential_provider field. By using this field, the filter allows override of the default credential providers, environment variables, credential parameters and file locations. If the credential_provider field is provided, it can be used either to modify the default credentials provider chain, or when custom_credential_provider_chain is set to - true, to create a custom credentials provider chain containing only the specified credentials provider settings. Examples of using these fields are provided in configuration examples.
- Environment variables. The environment variables - AWS_ACCESS_KEY_ID,- AWS_SECRET_ACCESS_KEY, and- AWS_SESSION_TOKENare used.
- The AWS credentials file. The environment variables - AWS_SHARED_CREDENTIALS_FILEand- AWS_PROFILEare respected if they are set, else the file- ~/.aws/credentialsand profile- defaultare used. The fields- aws_access_key_id,- aws_secret_access_key, and- aws_session_tokendefined for the profile in the credentials file are used. These credentials are cached for 1 hour.
- From AssumeRoleWithWebIdentity API call towards AWS Security Token Service using - WebIdentityTokenread from a file pointed by- AWS_WEB_IDENTITY_TOKEN_FILEenvironment variable and role arn read from- AWS_ROLE_ARNenvironment variable. The credentials are extracted from the fields- AccessKeyId,- SecretAccessKey, and- SessionTokenare used, and credentials are cached for 1 hour or until they expire (according to the field- Expiration). To fetch the credentials a static cluster is created with the name- sts_token_service_internal-<region>pointing towards regional AWS Security Token Service.- Note - When - signing_algorithm: AWS_SIGV4Ais set, the STS cluster host is determined as follows:- If your - region(set via profile, environment, or inline) is configured as a SigV4A region set AND contains a wildcard in the first region:- Standard endpoint: - sts.amazonaws.com
- FIPS endpoint: - sts-fips.us-east-1.amazonaws.com
 
- Otherwise: - Uses regional endpoint: - sts.<first-region>.amazonaws.com
 
 
For alternate AWS partitions (e.g. China or GovCloud) with SigV4A signing, specify the correct regional endpoint by setting your first SigV4A region without wildcards (example:
cn-northwest-1)
- Either EC2 instance metadata, ECS task metadata or EKS Pod Identity. For EC2 instance metadata, the fields - AccessKeyId,- SecretAccessKey, and- Tokenare used, and credentials are cached for 1 hour. For ECS task metadata, the fields- AccessKeyId,- SecretAccessKey, and- Tokenare used, and credentials are cached for 1 hour or until they expire (according to the field- Expiration). For EKS Pod Identity, The environment variable- AWS_CONTAINER_AUTHORIZATION_TOKEN_FILEwill point to a mounted file in the container, containing the string required in the Authorization header sent to the EKS Pod Identity Agent. The fields- AccessKeyId,- SecretAccessKey, and- Tokenare used, and credentials are cached for 1 hour or until they expire (according to the field- Expiration).- Note - The AWS credentials provider now supports two methods for fetching credentials: - HTTP async client (new) 
- libcurl (legacy) 
 - To fetch credentials from EC2 or ECS, you must configure a static cluster pointing to the credentials provider: - For EC2: use cluster name - ec2_instance_metadata_server_internal
- For ECS: use cluster name - ecs_task_metadata_server_internal
 - These static clusters are handled automatically: - They are added by default if not specified in bootstrap configuration. 
- They are created even when - envoy.reloadable_features.use_http_client_to_fetch_aws_credentialsis disabled. This ensures the cluster configuration is ready when you enable HTTP client credential fetching later by setting the reloadable feature to- true.
 
Credential Provider Ordering
By default, credential providers will be searched for credentials in the following order:
By using the credential_provider field you can enable only particular providers, or override the settings for any of the configurable providers.
The assume role credential provider is a special case, having it’s own credential_provider field. This is because the provider itself requires credentials to complete the sts:AssumeRole call. The default provider ordering is the same in this case, unless you choose to override the providers and settings.
Statistics
The following statistics are output under the aws.metadata_credentials_provider namespace:
| Name | Type | Description | 
|---|---|---|
| <provider_cluster>.credential_refreshes_performed | Counter | Total credential refreshes performed by this cluster | 
| <provider_cluster>.credential_refreshes_failed | Counter | Total credential refreshes failed by this cluster. For example, this would be incremented if a WebIdentity token was expired | 
| <provider_cluster>.credential_refreshes_succeeded | Counter | Total successful credential refreshes for this cluster. Successful refresh would indicate credentials are available for signing | 
| <provider_cluster>.metadata_refresh_state | Gauge | 0 means the cluster is in initial refresh state, ie no successful credential refreshes have been performed. In 0 state the cluster will attempt credential refresh up to a maximum of once every 30 seconds. 1 means the cluster is in normal credential expiration based refresh state | 
Statistics
The AWS Lambda filter outputs statistics in the http.<stat_prefix>.aws_lambda. namespace. The | stat prefix comes from the owning HTTP connection manager.
| Name | Type | Description | 
|---|---|---|
| server_error | Counter | Total requests that returned invalid JSON response (see payload_passthrough) | 
| upstream_rq_payload_size | Histogram | Size in bytes of the request after JSON-transformation (if any). |