Lambda Function Registration Requirements

Verify that your environment meets the requirements and that you have completed the prerequisites before registering Lambda functions.

Introduction

You can either manually register AWS Lambda functions with Consul or use the Lambda registrator to automatically synchronize Lambda state into Consul. We recommend using the Lambda registrator when possible so that you can keep the configuration entry up to date. The registrator automatically registers, reconfigures, and deregisters Lambdas based on the Lambda function's tags.

Requirements

Consul v1.12.1 and later

Prerequisites

Complete the following prerequisites prior to registering your Lambda functions. You only need to perform these steps once.

Configure IAM Permissions for Envoy

The Envoy proxy that invokes Lambda must have the lambda:InvokeFunction AWS IAM permissions. In the following example, the IAM policy enables an IAM user or role to invoke the example Lambda function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Invoke",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:lambda:us-east-1:123456789012:function:example"
        }
    ]
}

Define AWS IAM credentials in environment variables, EC2 metadata, or ECS metadata. On AWS EKS, associate an IAM role with the proxy's ServiceAccount. Refer to the AWS IAM roles for service accounts documentation for instructions.

Mesh gateway

A mesh gateway is required in the following scenarios:

• Invoking mesh services from Lambda functions
• Invoking Lambda functions from a service deployed to a separate Consul datacenter

Mesh gateways are optional for enabling services to invoke Lambda functions if they are in the same datacenter.

The mesh gateway must be running and registered in the relevant Consul datacenters and admin partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways:

• Mesh gateway documentation
• Connect Services Across Datacenters with Mesh Gateways tutorial
• Secure Service Mesh Communication Across Kubernetes Clusters tutorial

When using admin partitions, you must add Lambda services to the Services field of the exported-services configuration entry.

Optional: Terminating gateway

A terminating gateway is an access point in a Consul datacenter to an external service or node. Terminating gateways are optional when invoking Lambda functions from a mesh service, but they do not play a role when invoking services from Lambda functions.

Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway:

• Terminating gateways documentation
• Terminating gateways on Kubernetes documentation
• Connect External Services to Consul With Terminating Gateways tutorial

To register a Lambda service with a terminating gateway, add the service to the Services field of the terminating gateway's terminating-gateway configuration entry.