{"id":18715137,"url":"https://github.com/cerbos/cerbos-aws-lambda","last_synced_at":"2025-04-12T13:07:53.620Z","repository":{"id":83363748,"uuid":"424017476","full_name":"cerbos/cerbos-aws-lambda","owner":"cerbos","description":"Gateway service implements AWS Lambda runtime and invokes Cerbos server API hosted in the same AWS Lambda instance.","archived":false,"fork":false,"pushed_at":"2023-10-24T17:03:19.000Z","size":40,"stargazers_count":15,"open_issues_count":5,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-06-19T10:14:00.637Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cerbos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-11-02T22:26:32.000Z","updated_at":"2024-06-04T16:21:19.000Z","dependencies_parsed_at":"2023-10-24T18:28:01.225Z","dependency_job_id":null,"html_url":"https://github.com/cerbos/cerbos-aws-lambda","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cerbos%2Fcerbos-aws-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cerbos%2Fcerbos-aws-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cerbos%2Fcerbos-aws-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cerbos%2Fcerbos-aws-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cerbos","download_url":"https://codeload.github.com/cerbos/cerbos-aws-lambda/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223518540,"owners_count":17158689,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T13:07:41.574Z","updated_at":"2024-11-07T13:07:42.071Z","avatar_url":"https://github.com/cerbos.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Cerbos AWS Lambda Docker Image\n==============================\nGateway service implements AWS Lambda runtime and invokes Cerbos server API hosted in the same AWS Lambda instance.\n\nCerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.\n\n* [Cerbos website](https://cerbos.dev)\n* [Cerbos documentation](https://docs.cerbos.dev)\n* [Cerbos GitHub repository](https://github.com/cerbos/cerbos)\n* [Cerbos Slack community](http://go.cerbos.io/slack)\n\n## Description\nThis project builds a docker image that can be used to run a Cerbos server in AWS Lambda. The images will contain the gateway executable and the Cerbos binary.\n\nThe following commands assume you run a Unix-like system with x86_64 or arm64 architectures.\n\nThere's also an example of AWS Lambda function based on this image. The function is built using [AWS SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) model.\n\n### Prerequisites\n\nThe following tools are required:\n- Make - build automation tool\n- AWS CLI\n- AWS SAM CLI - if you wish to use the provided AWS Lambda function template\n- Docker\n- jq - If you want the Makefile to automatically detect the version of Cerbos. Otherwise use the `CERBOS_RELEASE` environment variable to specify the Cerbos version to use.\n\n\n### Build the Docker image\n\nCheck out `conf.default.yml` for Cerbos configuration. The default configuration uses blob storage, e.g. AWS S3 bucket. Cerbos config can read from environment variables. If you choose to do so, your AWS Lambda has to expose them.\n\nBy default, the latest release of Cerbos is used. If you want to use a particular Cerbos version, you can specify it in `CERBOS_RELEASE` environment variable.\n\nRun the following command to build the docker image 'cerbos/aws-lambda-gateway':\n```shell\nmake image\n```\n\nNote that the image will be built in whatever architecture you are running on (x86 or arm64) - the AWS region you use must support the architecture you are deploying too also else you will get an exec format error when it tries to start up the lambda.\n\n### Publish the Docker image\n\nTo publish the image, you will need to have an AWS ECR repository. You can create one in the AWS console or using AWS CLI with the following command (replace `\u003crepository-name\u003e` with the name of your repository):\n\nYou will see `repositoryUri` in the output of the command. Save it for later use.\n```shell\naws ecr create-repository --repository-name \u003crepository-name\u003e --image-scanning-configuration scanOnPush=true\n```\n\nThen you will need to get an authentication token for the repository. You can do it with the following command:\n\n```shell\nexport ECR_REPOSITORY_URL=\u003crepositoryUri\u003e\naws ecr get-login-password  | docker login --username AWS --password-stdin $ECR_REPOSITORY_URL\n```\n\nNow you can publish the image with the following command:\n```shell\nmake publish-image\n```\n\n### Create AWS Lambda function\nYou can create an AWS Lambda function referencing the published image with any tool. Alternatively, you can use the provided template `sam.yml`. For the latter option, please visit the template and replace `\u003crepositoryUri\u003e` with the value you saved in the previous step. The template exposes these environment variables:\n- BUCKET_URL - the URL of the S3 bucket where Cerbos policies are stored.\n- BUCKET_PREFIX - optional prefix for the S3 bucket.\n- CERBOS_LOGGING_LEVEL - Cerbos logging level. It defaults to INFO.\n\nYou will need to grant the role access to the S3 bucket you are storing policies in.\n\nTo publish the function, run the following command:\n```shell\nmake publish-lambda\n```\n\nThe command will create an AWS Lambda function as part of the stack called as per `CERBOS_STACK_NAME` environment variable (if unset, defaults to `Cerbos`). The stack will also create API Gateway resources and an IAM role for the function. **Ensure the role has the necessary permissions to access the S3 bucket (or other policy storage you might use)**.\n\nShould you change the configuration and rebuild the image, you can update the Lambda via:\n\n```shell\nmake clean\nmake image\nmake publish-image\nmake update-lambda\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcerbos%2Fcerbos-aws-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcerbos%2Fcerbos-aws-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcerbos%2Fcerbos-aws-lambda/lists"}