Documentation

AWS Serverless

Suggest Edits

This guide describes how to run a Serverless Gateway on AWS based on Lambda Function using Terraform.

Prerequisites

Gateway Configuration

Clone the Serverless Gateway repository locally: 

git clone https://github.com/akeyless-community/akeyless-serverless-gateway.git

Edit the akeyless-serverless-gateway/terraform/AWS/serverless-gateway/lambda_env_vars.tf file according to the sections below.

Authentication

Set your Gateway with a default Authentication Method to control the level of access your Gateway will have inside your Akeyless account.

The following Authentication Methods are supported for Serverless mode:

When using AWS IAM as the admin_access_id of the Gateway, make sure to set in addition a list of users that will be able to manage your Gateway configuration using the allowed_access_permissions variable, for example:

variable "admin_access_id_type" {
  description = "Set the Admin Auth Type for the Gateway"
  type        = string
  default     = "access_key"
}

variable "admin_access_id" {
  description = "Akeyless API Key Auth Access ID"
  type        = string
  default     = "<Access ID>"
}

variable "admin_access_key" {
  description = "Akeyless Admin Access Key"
  default     = "<Access Key>"
}

variable "allowed_access_permissions" {
  description = "Akeyless allowed_access_permissions"
  type        = string
  default     = "[{\"name\": \"\", \"access_id\": \"\", \"permissions\": [\"admin\"]}]"
}

variable "admin_access_id_type" {
  description = "Set the Admin Auth Type for the Gateway"
  type        = string
  default     = "aws_iam"
}

variable "admin_access_id" {
  description = "Akeyless AWS IAM Auth Access ID"
  type        = string
  default     = "<Access ID>"
}

variable "allowed_access_permissions" {
  description =  "Akeyless allowed_access_permissions"
  type        = string
  default     = "[{\"name\": \"\", \"<Access ID>\": \"\", \"permissions\": [\"admin\"]}]"
}

Where:

  • admin_access_id_type: The Auth Method type for the Gateway either access_key or aws_iam.

  • admin_access_id: The Access ID of the Gateway default Auth Method.

  • admin_access_key: The Access Key of the admin_access_id. Relevant only when admin_access_id_type is access_key.

  • allowed_access_permissions: A list of allowed Access IDs, to delegate permissions users will have on your Gateway components. Required when admin_access_id_type is aws_iam. For example, can be used with API Key or SAML, etc.

Customer Fragment

To work with Zero-Knowledge edit the customer_fragments variable as follows:

variable "customer_fragments"{
  type        = map(any)
  sensitive   = true
  description = ""
  default     =  {
    "customer_fragments": [
      {
        "id": "<Customer Fragment ID>",
        "value": "<Customer Fragment Value>",
        "description": "My Serverless Fragment",
        "name": "ServerLessFragment"
      }
    ]
  }
}

Installation

To install the module, run the following commands:

terraform init
terraform apply

Upon successful installation of the Serverless Gateway, the following output will be generated:

Outputs:

akeyless_serverless_gateway_url = "https://uh4i3r4.execute-api.<region>.amazonaws.com/default/console"
aws_api_gateway_rest_api = "arn:aws:apigateway:<region>::/restapis/uh4i3r4"
aws_lambda_function = "arn:aws:lambda:<region>:<aws-acct-id>:function:<your-serverless-gateway>"
repository_url = "<aws-acct-id>.dkr.ecr.<region>.amazonaws.com/<your>-serverless-gateway-repo-for-lambda"

Note: If the Gateway settings need to be updated after installation, edit the relevant values in the terraform files and run terraform apply.

Initial Gateway Configuration

To configure your Akeyless Gateway:

  1. On your browser, navigate to the URL in the first output above labeled: akeyless_serverless_gateway_url.
  2. Enter your credentials to log in.

📘

Gateway URL

The default value of the akeyless_serverless_gateway_url ends with /default/console which will route you to Akeyless Gateway Console (Port 18888).

To connect to Akeyless Gateway Configuration Manager (Port 8000) use: /default/config

For more information in regards to the Serverless Gateway, refer to the Serverless Gateway repository

Note: After installing the Serverless Gateway, it becomes accessible as a Lambda Function within your AWS account. This enables you to access comprehensive information, monitor its performance, and gain a complete overview of its functionality, while it's possible to edit the Gateway directly from the Lambda function, any changes made will be overwritten during the next terraform apply command.

AWS Configuration

While the lammbda_env_vars.tf file contains the basic configuration required for deploying the Serverless Gateway, You can also configure the variables.tf file to match your AWS account needs. Below are examples of configurable settings:

  • aws_profile - Set the AWS Profile for authentication, the default value is default

  • region - Set the AWS region, the default value is us-east-2

  • api_gw_name Set the name of the gateway in AWS, default value: akeyless-serverless-gateway-api-gateway

  • lambda_func_name Set the name of the lambda function in AWS, the default value is akeyless-serverless-gateway

Find more information about the available terraform configuration files.

Upgrading the Gateway

The Serverless Gateway version can be updated to different versions based on your preferences, follow these steps to update the Gateway:

  • Enter the Serverless Gateway repo in GitHub
  • Go to Lambda Docker Image Configuration > Selecting a Different Version
  • View available versions
  • In varialbes.tf file, change the field image-tag to the version you desire
  • Run terraform apply

The Serverless Gateway will boot with the version you chose.

Limitations

Unavailable services:

Kubernetes / LDAP Authentication, Caching, Automatic Migration, Event on status changes, TLS Configuration.

Updated 1 day ago

What’s Next

Deploy a Serverless Gateway