Invoke an AWS Lambda function from Kong. It can be used in combination with other request plugins to secure, manage or extend the function.


Configuring the plugin is straightforward, you can add it on top of an API by executing the following request on your Kong server:

$ curl -X POST http://kong:8001/apis/{api}/plugins \
    --data "name=aws-lambda" \
    --data-urlencode "config.aws_key=AWS_KEY" \
    --data-urlencode "config.aws_secret=AWS_SECRET" \
    --data "config.aws_region=AWS_REGION" \
    --data "config.function_name=LAMBDA_FUNCTION_NAME"

api: The id or name of the API that this plugin configuration will target

You can also apply this plugin for every API using the http://kong:8001/plugins/ endpoint. Read the Plugin Reference for more information.

Reminder: curl by default sends payloads with an application/x-www-form-urlencoded MIME type, which will naturally be URL- decoded by Kong. To ensure special characters that are likely to appear in your AWS key or secret (like +) are correctly decoded, you must URL-encode them, hence use --date-urlencode if you are using curl. Alternatives to this approach would be to send your payload with a different MIME type (like application/json), or to use a different HTTP client.

form parameter default description
name The name of the plugin to use, in this case: aws-lambda
config.aws_key The AWS key credential to be used when invoking the function
config.aws_secret The AWS secret credential to be used when invoking the function
config.aws_region The AWS region where the Lambda function is located. Regions supported are: us-east-1, us-east-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, eu-central-1, eu-west-1
config.function_name The AWS Lambda function name to invoke
`` The Qualifier to use when invoking the function.
RequestResponse The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun
Tail The LogType to use when invoking the function. By default None and Tail are supported
60000 An optional timeout in milliseconds when invoking the function
60000 An optional value in milliseconds that defines how long an idle connection will live before being closed
config.unhandled_status `` The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error

Sending parameters

Any form parameter sent along with the request, will be also sent as an argument to the AWS Lambda function.

Known Issues

Use a fake upstream_url

When using the AWS Lambda plugin, the response will be returned by the plugin itself without proxying the request to any upstream service. This means that whatever upstream_url has been set on the API it will never be used.

Although upstream_url will never be used, it's currently a mandatory field in Kong's data model and its hostname must be resolvable. So set it to a fake value (ie, if you are planning to use this plugin. Failing to do so will result in 500 errors regarding a resolution failure.

In the future we will provide a more intuitive way to deal with similar use cases.

Response plugins

There is a known limitation in the system that prevents some response plugins from being executed. We are planning to remove this limitation in the future.

Keep up with the latest features