Access AWS Lambda with a credentials secret
Use kgateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.
Note that this guide uses a Kubernetes secret that contains long-lived IAM user access keys (prefixed AKIA), not temporary STS/SSO credentials, which can cause failures with signature errors. To use AWS IAM roles to control access instead, see Access AWS Lambda with a service account.
Before you begin
-
Follow the Get started guide to install kgateway.
-
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSkubectl port-forward deployment/http -n kgateway-system 8080:8080
Create an AWS credentials secret
Create a Kubernetes secret that contains your AWS access key and secret key. You must use a long-lived IAM user access keys (prefixed AKIA), not temporary STS/SSO credentials. Kgateway uses this secret to connect to AWS Lambda for authentication and function invocation.
-
Save the AWS account and region that your Lambda instance exists in as environment variables.
export REGION=<us-east-1> export ACCOUNT_ID=<account_id> -
Save your IAM user access key (prefixed
AKIA...) and secret key as environment variables. Make sure that theAWS_SESSION_TOKENis not set.export AWS_ACCESS_KEY_ID="<AKIA-access-key>" export AWS_SECRET_ACCESS_KEY="<secret-key>"If you do not have a long-lived IAM user access key pair, you can create one for your IAM user.
- AWS console:
- Navigate to IAM → Users → (your user).
- In the Security credentials tab, scroll to the Access keys panel, and click Create access key.
- Select the CLI option, and create the access key.
- Copy the output access key ID (prefixed
AKIA...) and secret access key.
awsCLI:aws iam create-access-key --user-name <iam-user-name>
- AWS console:
-
Verify that these credentials have the appropriate permissions to interact with AWS Lambda.
aws sts get-caller-identity --region ${REGION} aws lambda invoke --function-name echo2 --region ${REGION} /tmp/out.jsonIf either command fails, grant the IAM user Lambda invocation permissions in one of the following ways, and re-run the test commands.
- AWS console:
- Navigate to IAM → Users → (your user).
- In the Permissions tab, click Add permissions → Create inline policy.
- Toggle to the JSON editor.
- Paste the following policy to allow Lambda function invocation.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:802411188784:function:echo2" } ] }
awsCLI:aws iam put-user-policy \ --user-name <iam-user-name> \ --policy-name AllowInvokeEcho2 \ --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [ {\"Effect\": \"Allow\", \"Action\": \"lambda:InvokeFunction\", \"Resource\": \"arn:aws:lambda:${REGION}:${ACCOUNT_ID}:function:echo2\"} ] }"
- AWS console:
-
Create a Kubernetes secret that contains the AWS access key and secret key. Leave
sessionTokenempty for long-lived keys.kubectl apply -n kgateway-system -f - << EOF apiVersion: v1 kind: Secret metadata: name: aws-creds stringData: accessKey: ${AWS_ACCESS_KEY_ID} secretKey: ${AWS_SECRET_ACCESS_KEY} sessionToken: "" type: Opaque EOF
Create a Lambda function
Create an AWS Lambda function to test kgateway routing.
-
Log in to the AWS console and navigate to the Lambda page.
-
Click the Create Function button.
-
Name the function
echoand click Create function. -
Replace the default contents of
index.mjswith the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.export const handler = async(event) => { const response = { statusCode: 200, body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}` }; return response; }; -
Click Deploy.
Create a Backend and HTTPRoute
Create Backend and HTTPRoute resources to route requests to the Lambda function.
-
In your terminal, create a Backend resource that references the Lambda secret. Update the
regionwith your AWS account region, such asus-east-1, and update theaccountId.kubectl apply -f - <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: Backend metadata: name: lambda namespace: kgateway-system spec: type: AWS aws: region: ${REGION} accountId: "${ACCOUNT_ID}" auth: type: Secret secretRef: name: aws-creds lambda: functionName: echo EOF -
Create an HTTPRoute resource that references the
lambdaBackend.kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: lambda namespace: kgateway-system spec: parentRefs: - name: http namespace: kgateway-system rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: lambda namespace: kgateway-system group: gateway.kgateway.dev kind: Backend EOF -
Confirm that kgateway correctly routes requests to Lambda by sending a curl request to the
echofunction.curl -H "Host: lambda.${REGION}.amazonaws.com" \ $INGRESS_GW_ADDRESS:8080/echo \ -d '{"key1":"value1", "key2":"value2"}' -X POSTcurl -H "Host: lambda.${REGION}.amazonaws.com" \ localhost:8080/echo \ -d '{"key1":"value1", "key2":"value2"}' -X POSTExample response:
{"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%
At this point, kgateway is routing directly to the echo Lambda function!
Cleanup
You can remove the resources that you created in this guide.
-
Delete the
lambdaHTTPRoute andlambdaBackend.kubectl delete HTTPRoute lambda -n kgateway-system kubectl delete Backend lambda -n kgateway-system -
Delete the
aws-credssecret.kubectl delete secret aws-creds -n kgateway-system -
Use the AWS Lambda console to delete the
echotest function.