Octelium enables you to seamlessly provide identity-based, secret-less secure access to your AWS Lambda functions. Octelium provides you the following benefits:
- You no longer need to have allow unrestricted anonymous access to your AWS Lambda function URLs.
- Eliminate the need to manage AWS IAM identities and create, distribute, monitor and rotate AWS credentials for your, possibly hundreds or thousands of, human Users as well as workloads that actually need to access your Lambda functions. You can read more about Octelium secret-less access capabilities here.
- You can use Octelium's rich identity-based, context-aware, L7 aware, on a per-request basis, centralized access control via policy-as-code with CEL and OPA to enforce fine-grained access control way beyond of what AWS policies can offer (read more about Policies and access control here).
- Centralize identity management for all of your human Users via Octelium's OpenID Connect and SAML 2.0 IdentityProviders (read more here) as well as for your workload Users via OAuth2 client credentials (read more here) and bearer access tokens (read more here).
First you need to create a Lambda function and then create a function URL for it. You can do so by going to the Configuration tab of your lambda function and then go to the Function URL tab and then create one with an Auth type of "AWS_IAM" so that the Lambda function can be accessible to authorized AWS users. You can then create an IAM user and obtain an access key for that user with a lambda:InvokeFunction permission to that Lambda function (read more here). Now, you can create a secret for the secret access key as follows:
octeliumctl create secret lambda-1
Now we create the Service of our Lambda function as follows:
1kind: Service2metadata:3name: my-lambda4spec:5mode: HTTP6isPublic: true7config:8upstream:9url: https://abcdef123456.lambda-url.eu-central-1.on.aws10http:11auth:12sigv4:13accessKeyID: ABCDEF...FEDCBA14secretAccessKey:15fromSecret: lambda-116region: eu-central-117service: lambda
Note that you have to set the service field to lambda and the region field to your actual region.
Authorized Users can now invoke your Lambda function at the public URL https://my-lambda.<DOMAIN>. When it comes to access control, Octelium provides a rich layer-7 aware, identity-based, context-aware ABAC access control on a per-request basis where you can control access based on the HTTP request's path, method, body content, etc... using policy-as-code with CEL and Open Policy Agent (OPA) (You can read more in detail about Policies and access control here). Here is an example:
1kind: Service2metadata:3name: my-lambda4spec:5mode: HTTP6isPublic: true7config:8upstream:9url: https://abcdef123456.lambda-url.eu-central-1.on.aws10http:11auth:12sigv4:13accessKeyID: ABCDEF...FEDCBA14secretAccessKey:15fromSecret: lambda-116region: eu-central-117service: lambda18authorization:19inlinePolicies:20- spec:21rules:22- effect: ALLOW23condition:24all:25of:26- match: ctx.user.spec.email.endsWith("@example.com")27- match: ctx.user.spec.groups.hasAny(["dev", "ops"])28- match: ctx.request.http.path.startsWith("/prefix1")29- match: ctx.request.http.method in ["GET", "POST"]
If you have many Lambda functions that need to be protected, you can use Octelium's dynamic configuration (read more about dynamic configuration here) to protect multiple Lambda functions behind a single Service. For example, you might use different path prefixes for each Lambda function as follows:
1kind: Service2metadata:3name: my-lambda4spec:5mode: HTTP6isPublic: true7dynamicConfig:8configs:9- name: function-110upstream:11url: https://function-1.lambda-url.eu-central-1.on.aws12http:13path:14removePrefix: /function-115auth:16sigv4:17accessKeyID: ABCDEF...FEDCBA18secretAccessKey:19fromSecret: lambda-120region: eu-central-121service: lambda22- name: function-123upstream:24url: https://function-2.lambda-url.eu-central-1.on.aws25http:26path:27removePrefix: /function-228auth:29sigv4:30accessKeyID: ABCDEF...FEDCBA31secretAccessKey:32fromSecret: lambda-133region: eu-central-134service: lambda35rules:36- condition:37match: ctx.request.http.path.startsWith("/function-1")38configName: function-139- condition:40match: ctx.request.http.path.startsWith("/function-2")41configName: function-2
Now the https://function-1.lambda-url.eu-central-1.on.aws function can be accessed at https://my-lambda.<DOMAIN>/function-1 and the https://function-2.lambda-url.eu-central-1.on.aws function can be accessed at https://my-lambda.<DOMAIN>/function-2.
If you have too many Lambda functions to be protected by Octelium, you might also have a look at Namespaces (read more here) to group your Lambda function Services according to your needs.
Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for HTTP here). You can read more about visibility here.
This was a very short guide to show you how to use Octelium to deploy, scale, route and provide dynamic zero trust secure access to your workloads. Here are a few more related features that you might be interested in:
- Routing not just by request paths, but also by header keys and values, request body content including JSON (read more here).
- Request/response header manipulation (read more here).
- Cross-Origin Resource Sharing (CORS) (read more here).
- gRPC mode (read more here).
- Secret-less access to upstreams and injecting bearer, basic, or custom authentication header credentials (read more here).
- Exposing the API publicly for anonymous access (read more here).
- Application layer-aware ABAC access control via policy-as-code using CEL and Open Policy Agent (read more here).
- OpenTelemetry-ready, application-layer L7 aware auditing and visibility (read more here).