AWS Lambda Concepts: Difference between revisions
(27 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the [[#Relationship_to_a_VPC|Relationship with a VPC]] section. | AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the [[#Relationship_to_a_VPC|Relationship with a VPC]] section. | ||
=Lambda as AWS Service= | |||
AWS Lambda is an [[Amazon_AWS_Concepts#AWS_Service|AWS service]], named "lambda.amazonaws.com". | |||
=Function Name= | =Function Name= | ||
Line 21: | Line 25: | ||
==Handler Code== | ==Handler Code== | ||
The handler is the function AWS Lambda calls to start execution of the [[#Function_Code|function code]]. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing | The handler is the client function AWS Lambda calls to start execution of the [[#Function_Code|function code]]. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing the code by calling the handler function. AWS Lambda passes any event data to this handler as the first parameter. The handler should process the incoming event data and may invoke any other functions/methods in your code. The format in which the handler is declared includes the filename and can also include namespaces and other qualifiers, depending on the runtime. Update requires no interruption | ||
Java handler function example: <code>playground.amazon.lambda.AJavaLambda::handleRequest</code> | |||
=Runtime= | =Runtime= | ||
Line 30: | Line 36: | ||
The '''runtime identifiers''' are available [https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html here]. Examples: | The '''runtime identifiers''' are available [https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html here]. Examples: | ||
* java-1.8.0-openjdk | * java8: java-1.8.0-openjdk | ||
==Runtime Interface== | ==Runtime Interface== | ||
Line 69: | Line 75: | ||
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html AWS Lambda Layers]}} | {{External|[https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html AWS Lambda Layers]}} | ||
Function layers can be added to the function execution environment. Each layer can be specified by its ARN and version. | |||
=Action= | =Action= | ||
Line 87: | Line 95: | ||
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/vpc.html Configuring a Lambda Function to Access Resources in an Amazon VPC]}} | {{External|[https://docs.aws.amazon.com/lambda/latest/dg/vpc.html Configuring a Lambda Function to Access Resources in an Amazon VPC]}} | ||
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-vpcconfig.html VpcConfig]}} | |||
The function may want to connect to resources protected by a VPC, and for that, the function configuration allows configuring VPC connectivity, in form of [https://docs.aws.amazon.com/lambda/latest/dg/vpc.html VPC settings]. These include a list of subnets and security groups in the VPC. AWS Lambda uses the subnet information to set up [[Amazon_VPC_Concepts#Elastic_Network_Interface_.28ENI.29|elastic network interfaces (ENIs)]], <font color=darkgray>one for each subnet</font>, that enable the function to connect securely to other resources within the specified VPC. The security group IDs designate security groups that include resources to which your Lambda function requires access. The security group information is used to <font color=darkgray>... ?</font> When a function is connected to the VPC, it can only access resources and the internet through that VPC. The update requires no interruption. | |||
When a VPC relationship is declared, <font color=darkgray>CloudFormation might not be able to delete the stack if another resource in the template, such as a security group, requires the attached ENI to be deleted before it can be deleted. It is recommended to run CloudFormation with the ec2:DescribeNetworkInterfaces permission, which enables CloudFormation to monitor the state of the ENI and to wait up to 40 minutes for Lambda to delete the ENI.</font> | |||
==ENI Permissions== | |||
If the function is configure to interact with a VPC, its [[#Role|execution role]] must have give it permissions to create, describe and delete ENIs, as such: | |||
<syntaxhighlight lang='yaml'> | |||
Resources: | |||
LambdaExecutionRole: | |||
Type: AWS::IAM::Role | |||
Properties: | |||
Policies: | |||
- PolicyName: 'inline-policy' | |||
PolicyDocument: | |||
... | |||
Statement: | |||
... | |||
- Effect: 'Allow' | |||
Action: | |||
- 'ec2:CreateNetworkInterface' | |||
- 'ec2:DescribeNetworkInterfaces' | |||
- 'ec2:DeleteNetworkInterface' | |||
Resource: | |||
- '*' | |||
</syntaxhighlight> | |||
It is important to not delete this role immediately after the Lambda function execution. There is a delay between the time the Lambda function executes and ENI deletion. If the role is deleted immediately after function execution, the ENIs cannot be deleted automatically and you are becoming responsible for deleting the ENIs. | |||
=Memory Configuration= | |||
The amount of memory allocated to the function can be declared in the function configuration. Increasing the function's memory also increases its CPU allocation. The default value is 128 MB. The value must be a multiple of 64 MB. | |||
=Role= | |||
When the function is declared, it needs the ARN of its execution role. Example: | |||
<syntaxhighlight lang='yaml'> | |||
Resources: | |||
LambdaExecutionRole: | |||
Type: AWS::IAM::Role | |||
Properties: | |||
RoleName: playground-lambda-execution-role | |||
Path: /service-role/ | |||
AssumeRolePolicyDocument: | |||
Version: '2012-10-17' | |||
Statement: | |||
- Effect: 'Allow' | |||
Principal: | |||
Service: | |||
- "lambda.amazonaws.com" | |||
Action: | |||
- "sts:AssumeRole" | |||
Policies: | |||
- PolicyName: 'inline-policy' | |||
PolicyDocument: | |||
Version: '2012-10-17' | |||
Statement: | |||
- Effect: 'Allow' | |||
Action: | |||
- 'logs:CreateLogGroup' | |||
- 'logs:CreateLogStream' | |||
- 'logs:PutLogEvents' | |||
Resource: | |||
- 'arn:aws:logs:*:*:*' | |||
</syntaxhighlight> | |||
If the function is configure to interact with a VPC, its execution role must have permissions to create, describe and delete ENIs, as described in the [[AWS_Lambda_Concepts#ENI_Permissions|ENI Permissions]] section. | |||
=Timeout= | |||
The amount of time that Lambda allows a function to run before terminating it. The default is 3 seconds. The maximum allowed value is 900 seconds. | |||
=Concurrent Execution= | |||
{{External|[https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html Managing Concurrency]}} | |||
The function declaration allows specification of the maximum number of instances of the function that process events simultaneously, as "ReservedConcurrentExecutions". The option both sets the maximum concurrency for the function and reserves concurrency to ensure that it is available. | |||
=Dead Letter= | |||
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-deadletterconfig.html DeadLetterConfig]}} | |||
=KMS Management Service Key= | |||
The function encrypts environment variables, and uses a configurable key while doing so. The ARN of the key can be specified. If not provided, AWS Lambda uses a default service key. | |||
=Tracing= | |||
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html TracingConfig]}} | |||
The execution of a function can be traced with AWS X-Ray by setting the "TracingConfig" to "Active". |
Latest revision as of 04:27, 8 April 2019
Internal
Overview
AWS Lambda executes function code securely within an anonymous VPC by default. The function can be configured to securely access resources within a specific VPC, as described in the Relationship with a VPC section.
Lambda as AWS Service
AWS Lambda is an AWS service, named "lambda.amazonaws.com".
Function Name
If no name is specified when the function is declared, a name will be generated. If a name is specified, no updates that require replacement of this function can be performed. The only updates that can be performed are those that require no or some interruption. To replace the function, a new name must be specified.
Code
It represents the code for the lambda function. The code for all runtimes can be specified by the location of the deployment package, as an S3 location. For Node.js and Python, the code can be specified in-line. The code specification is required. To update the code, the function requires no interruption. However, changes to a deployment package in Amazon S3 are not detected automatically. To update the function code, the object key can be changed, or use object versioning and change the version number in the template.
Function Code
Handler Code
The handler is the client function AWS Lambda calls to start execution of the function code. The handler is identified when the lambda function is created. When a Lambda function is invoked, AWS Lambda starts executing the code by calling the handler function. AWS Lambda passes any event data to this handler as the first parameter. The handler should process the incoming event data and may invoke any other functions/methods in your code. The format in which the handler is declared includes the filename and can also include namespaces and other qualifiers, depending on the runtime. Update requires no interruption
Java handler function example: playground.amazon.lambda.AJavaLambda::handleRequest
Runtime
The runtime specifies the programming language for the function. A required configuration parameter. Requires no interruption on update. All runtimes share the execution environment, which provides additional libraries and environment variables that can be accessed from the function code. A runtime can support a single version of a language, multiple versions of a language, or multiple languages.
The runtime identifiers are available here. Examples:
- java8: java-1.8.0-openjdk
Runtime Interface
Custom Runtime
Custom runtimes can be implemented.
Execution Environment
When a function is invoked, AWS Lambda attempts to re-use the execution environment from a previous invocation, if one is available. This saves time preparing the execution environment, and allows to save resources like database connections and temporary files in the execution context. The execution environment is shared by all runtimes and provides additional libraries and environment variables that you can access from the function code.
The execution environment provides a runtime interface for getting invocation events and sending responses.
Execution Context
The execution context is a temporary runtime environment that initializes any external dependencies of the Lambda function code, such as database connections or HTTP endpoints. Setting up the execution context is known as "bootstrapping", which is a process that takes some time and consequently introduces latency in the lambda function execution. After a Lambda function is executed, AWS Lambda maintains the execution context for some time - the context is "frozen" after the execution completes, and its thawed for reuse. This approach has the following implications:
- Any declaration in the function code - outside the handler code - remains initialized. For example, if a function establishes a database connection, the original connection is used in subsequent invocations.
- Each execution context provides 512MB of additional disk space in the /tmp directory. The directory content remains when the execution context is frozen, providing transient cache that can be sued for multiple invocations.
- Background processes or callbacks initiated by the function that did not complete when the function ended resume if the execution context is reused.
However, reusing the execution context is an optimization, and it is not guaranteed. When you write your Lambda function code, do not assume that AWS Lambda automatically reuses the execution context for subsequent function invocations. Other factors may dictate a need for AWS Lambda to create a new execution context, which can lead to unexpected results, such as database connection failures.
Environment Variables
Environment variables that are accessible from function code during execution can be listed in the function declaration. Updates require no interruption. For an example see Creating a Lambda Function with CloudFormation.
Layer
Function layers can be added to the function execution environment. Each layer can be specified by its ARN and version.
Action
CreateFunction
Invoke
The function-invoking action of the Lambda service.
It may serve as integration endpoint for Amazon API Gateway Lambda function integration.
Relationship to a VPC
The function may want to connect to resources protected by a VPC, and for that, the function configuration allows configuring VPC connectivity, in form of VPC settings. These include a list of subnets and security groups in the VPC. AWS Lambda uses the subnet information to set up elastic network interfaces (ENIs), one for each subnet, that enable the function to connect securely to other resources within the specified VPC. The security group IDs designate security groups that include resources to which your Lambda function requires access. The security group information is used to ... ? When a function is connected to the VPC, it can only access resources and the internet through that VPC. The update requires no interruption.
When a VPC relationship is declared, CloudFormation might not be able to delete the stack if another resource in the template, such as a security group, requires the attached ENI to be deleted before it can be deleted. It is recommended to run CloudFormation with the ec2:DescribeNetworkInterfaces permission, which enables CloudFormation to monitor the state of the ENI and to wait up to 40 minutes for Lambda to delete the ENI.
ENI Permissions
If the function is configure to interact with a VPC, its execution role must have give it permissions to create, describe and delete ENIs, as such:
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: 'inline-policy'
PolicyDocument:
...
Statement:
...
- Effect: 'Allow'
Action:
- 'ec2:CreateNetworkInterface'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DeleteNetworkInterface'
Resource:
- '*'
It is important to not delete this role immediately after the Lambda function execution. There is a delay between the time the Lambda function executes and ENI deletion. If the role is deleted immediately after function execution, the ENIs cannot be deleted automatically and you are becoming responsible for deleting the ENIs.
Memory Configuration
The amount of memory allocated to the function can be declared in the function configuration. Increasing the function's memory also increases its CPU allocation. The default value is 128 MB. The value must be a multiple of 64 MB.
Role
When the function is declared, it needs the ARN of its execution role. Example:
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: playground-lambda-execution-role
Path: /service-role/
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: 'inline-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource:
- 'arn:aws:logs:*:*:*'
If the function is configure to interact with a VPC, its execution role must have permissions to create, describe and delete ENIs, as described in the ENI Permissions section.
Timeout
The amount of time that Lambda allows a function to run before terminating it. The default is 3 seconds. The maximum allowed value is 900 seconds.
Concurrent Execution
The function declaration allows specification of the maximum number of instances of the function that process events simultaneously, as "ReservedConcurrentExecutions". The option both sets the maximum concurrency for the function and reserves concurrency to ensure that it is available.
Dead Letter
KMS Management Service Key
The function encrypts environment variables, and uses a configurable key while doing so. The ARN of the key can be specified. If not provided, AWS Lambda uses a default service key.
Tracing
The execution of a function can be traced with AWS X-Ray by setting the "TracingConfig" to "Active".