AWS Serverless
This guide describes how to run a Serverless Gateway on AWS based on Lambda Function using Terraform.
Prerequisites
- Terraform
>=1.0.0
- AWS account.
Gateway Configuration
Clone the Serverless Gateway repository locally:
git clone https://github.com/akeyless-community/akeyless-serverless-gateway.git
Edit the akeyless-serverless-gateway/terraform/AWS/serverless-gateway/lambda_env_vars.tf
file according to the sections below.
Authentication
Set your Gateway with a default Authentication Method to control the level of access your Gateway will have inside your Akeyless account.
The following Authentication Methods are supported for Serverless mode:
When using AWS IAM as the admin_access_id
of the Gateway, make sure to set in addition a list of users that will be able to manage your Gateway configuration using the allowed_access_permissions
variable, for example:
variable "admin_access_id_type" {
description = "Set the Admin Auth Type for the Gateway"
type = string
default = "access_key"
}
variable "admin_access_id" {
description = "Akeyless API Key Auth Access ID"
type = string
default = "<Access ID>"
}
variable "admin_access_key" {
description = "Akeyless Admin Access Key"
default = "<Access Key>"
}
variable "allowed_access_permissions" {
description = "Akeyless allowed_access_permissions"
type = string
default = "[{\"name\": \"\", \"access_id\": \"\", \"permissions\": [\"admin\"]}]"
}
variable "admin_access_id_type" {
description = "Set the Admin Auth Type for the Gateway"
type = string
default = "aws_iam"
}
variable "admin_access_id" {
description = "Akeyless AWS IAM Auth Access ID"
type = string
default = "<Access ID>"
}
variable "allowed_access_permissions" {
description = "Akeyless allowed_access_permissions"
type = string
default = "[{\"name\": \"\", \"<Access ID>\": \"\", \"permissions\": [\"admin\"]}]"
}
Where:
-
admin_access_id_type
: The Auth Method type for the Gateway eitheraccess_key
oraws_iam
. -
admin_access_id
: The Access ID of the Gateway default Auth Method. -
admin_access_key
: The Access Key of theadmin_access_id
. Relevant only whenadmin_access_id_type
isaccess_key
. -
allowed_access_permissions
: A list of allowed Access IDs, to delegate permissions users will have on your Gateway components. Required whenadmin_access_id_type
isaws_iam
. For example, can be used with API Key or SAML, etc.
Customer Fragment
To work with Zero-Knowledge edit the customer_fragments
variable as follows:
variable "customer_fragments"{
type = map(any)
sensitive = true
description = ""
default = {
"customer_fragments": [
{
"id": "<Customer Fragment ID>",
"value": "<Customer Fragment Value>",
"description": "My Serverless Fragment",
"name": "ServerLessFragment"
}
]
}
}
Installation
To install the module, run the following commands:
terraform init
terraform apply
Upon successful installation of the Serverless Gateway, the following output will be generated:
Outputs:
akeyless_serverless_gateway_url = "https://uh4i3r4.execute-api.<region>.amazonaws.com/default/console"
aws_api_gateway_rest_api = "arn:aws:apigateway:<region>::/restapis/uh4i3r4"
aws_lambda_function = "arn:aws:lambda:<region>:<aws-acct-id>:function:<your-serverless-gateway>"
repository_url = "<aws-acct-id>.dkr.ecr.<region>.amazonaws.com/<your>-serverless-gateway-repo-for-lambda"
Note: If the Gateway settings need to be updated after installation, edit the relevant values in the terraform files and run terraform apply
.
Initial Gateway Configuration
To configure your Akeyless Gateway:
- On your browser, navigate to the URL in the first output above labeled:
akeyless_serverless_gateway_url
. - Enter your credentials to log in.
Gateway URL
The default value of the
akeyless_serverless_gateway_url
ends with/default/console
which will route you to Akeyless Gateway Console (Port18888
).To connect to Akeyless Gateway Configuration Manager (Port
8000
) use:/default/config
For more information in regards to the Serverless Gateway, refer to the Serverless Gateway repository
Note: After installing the Serverless Gateway, it becomes accessible as a Lambda Function within your AWS account. This enables you to access comprehensive information, monitor its performance, and gain a complete overview of its functionality, while it's possible to edit the Gateway directly from the Lambda function, any changes made will be overwritten during the next terraform apply
command.
AWS Configuration
While the lammbda_env_vars.tf
file contains the basic configuration required for deploying the Serverless Gateway, You can also configure the variables.tf
file to match your AWS account needs. Below are examples of configurable settings:
-
aws_profile
- Set the AWS Profile for authentication, the default value isdefault
-
region
- Set the AWS region, the default value isus-east-2
-
api_gw_name
Set the name of the gateway in AWS, default value:akeyless-serverless-gateway-api-gateway
-
lambda_func_name
Set the name of the lambda function in AWS, the default value isakeyless-serverless-gateway
Find more information about the available terraform configuration files.
Upgrading the Gateway
The Serverless Gateway version can be updated to different versions based on your preferences, follow these steps to update the Gateway:
- Enter the Serverless Gateway repo in GitHub
- Go to Lambda Docker Image Configuration > Selecting a Different Version
- View available versions
- In
varialbes.tf
file, change the fieldimage-tag
to the version you desire - Run
terraform apply
The Serverless Gateway will boot with the version you chose.
Limitations
Unavailable services:
Kubernetes / LDAP Authentication, Caching, Automatic Migration, Event on status changes, TLS Configuration.
Updated 17 days ago
Deploy a Serverless Gateway