Access AWS Lambda with a credentials secret
Use kgateway to route traffic requests directly to an Amazon Web Services (AWS) Lambda function.
Note that this guide uses a Kubernetes secret that contains you AWS access key and secret key to invoke Lambda functions. To use AWS IAM roles to control access instead, see Access AWS Lambda with a service account instead.
Before you begin
-
Follow the Get started guide to install kgateway.
-
Follow the Sample app guide to create an API gateway proxy with an HTTP listener and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSkubectl port-forward deployment/http -n kgateway-system 8080:8080
Create an AWS credentials secret
Create a Kubernetes secret that contains your AWS access key and secret key. Kgateway uses this secret to connect to AWS Lambda for authentication and function invocation.
-
Get the access key and secret key for your AWS account. Note that your AWS credentials must have the appropriate permissions to interact with AWS Lambda.
-
Create a Kubernetes secret that contains the AWS access key and secret key.
kubectl apply -n kgateway-system -f - << EOF apiVersion: v1 kind: Secret metadata: name: aws-creds stringData: accessKey: ${AWS_ACCESS_KEY_ID} secretKey: ${AWS_SECRET_ACCESS_KEY} sessionToken: "" type: Opaque EOF
Create a Lambda function
Create an AWS Lambda function to test kgateway routing.
-
Log in to the AWS console and navigate to the Lambda page.
-
Click the Create Function button.
-
Name the function
echoand click Create function. -
Replace the default contents of
index.mjswith the following Node.js function, which returns a response body that contains exactly what was sent to the function in the request body.export const handler = async(event) => { const response = { statusCode: 200, body: `Response from AWS Lambda. Here's the request you just sent me: ${JSON.stringify(event)}` }; return response; }; -
Click Deploy.
Create a Backend and HTTPRoute
Create kgateway Backend and HTTPRoute resources to route requests to the Lambda function.
-
In your terminal, create a Backend resource that references the Lambda secret. Update the
regionwith your AWS account region, such asus-east-1, and update theaccountId.kubectl apply -f - <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: Backend metadata: name: lambda namespace: kgateway-system spec: type: AWS aws: region: <region> accountId: "<account-id>" auth: type: Secret secretRef: name: aws-creds lambda: functionName: echo EOF -
Create an HTTPRoute resource that references the
lambdaBackend.kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: lambda namespace: kgateway-system spec: parentRefs: - name: http namespace: kgateway-system rules: - matches: - path: type: PathPrefix value: /echo backendRefs: - name: lambda namespace: kgateway-system group: gateway.kgateway.dev kind: Backend EOF -
Confirm that kgateway correctly routes requests to Lambda by sending a curl request to the
echofunction.curl $INGRESS_GW_ADDRESS:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POSTcurl localhost:8080/echo -d '{"key1":"value1", "key2":"value2"}' -X POSTExample response:
{"statusCode":200,"body":"Response from AWS Lambda. Here's the request you just sent me: {\"key1\":\"value1\",\"key2\":\"value2\"}"}%
At this point, kgateway is routing directly to the echo Lambda function!
Cleanup
You can remove the resources that you created in this guide.
-
Delete the
lambdaHTTPRoute andlambdaBackend.kubectl delete HTTPRoute lambda -n kgateway-system kubectl delete Backend lambda -n kgateway-system -
Delete the
aws-credssecret.kubectl delete secret aws-creds -n kgateway-system -
Use the AWS Lambda console to delete the
echotest function.