Create a Lambda OCI Function with the ACK Lambda Controller

Create a Lambda Function with an OCI Image Using Elastic Kubernetes Service (EKS).

The ACK service controller for Amazon Lambda lets you manage Lambda functions directly from Kubernetes. This guide shows you how to create a Lambda function with OCI image using a single Kubernetes resource manifest.


Although it is not necessary to use Amazon Elastic Kubernetes Service (Amazon EKS) or Amazon Elastic Container Registry (Amazon ECR) with ACK, this guide assumes that you have access to an Amazon EKS cluster. If this is your first time creating an Amazon EKS cluster and Amazon ECR repository, see Amazon EKS Setup and Amazon ECR Setup.


This guide assumes that you have:

  • Created an EKS cluster with Kubernetes version 1.16 or higher.
  • Have access to Amazon ECR
  • AWS IAM permissions to create roles and attach policies to roles.
  • Installed the following tools on the client machine used to access your Kubernetes cluster:
    • AWS CLI - A command line tool for interacting with AWS services.
    • kubectl - A command line tool for working with Kubernetes clusters.
    • eksctl - A command line tool for working with EKS clusters.
    • Helm 3.8+ - A tool for installing and managing Kubernetes applications.
    • Docker - A tool to build, share, and run containers.

Install the ACK service controller for Lambda

Log into the Helm registry that stores the ACK charts:

aws ecr-public get-login-password --region us-west-2 | helm registry login --username AWS --password-stdin

Deploy the ACK service controller for Amazon Lambda using the lambda-chart Helm chart. This example creates resources in the us-west-2 region, but you can use any other region supported in AWS.

RELEASE_VERSION=$(curl -sL${SERVICE}-controller/releases/latest | jq -r '.tag_name | ltrimstr("v")')
helm install --create-namespace -n ack-system oci:// "--version=${RELEASE_VERSION}" --generate-name --set=aws.region=us-west-2

For a full list of available values to the Helm chart, please review the values.yaml file.

Configure IAM permissions

Once the service controller is deployed configure the IAM permissions for the controller to invoke the Lambda API. For full details, please review the AWS Controllers for Kubernetes documentation for how to configure the IAM permissions. If you follow the examples in the documentation, use the value of lambda for SERVICE.

Create Lambda function handler

The Lambda function handler is the method in your function code that processes events. When your function is invoked, Lambda runs the handler method.

cat <<EOF > app.js
exports.handler = async (event) => {
    const response = {
        statusCode: 200
        body: JSON.stringify('Hello from Lambda!')
    return response;

Create and Build a Docker Image

Create a Dockerfile that will be used to build the image for our Lambda function:

cat <<EOF > Dockerfile

COPY app.js package.json ./

RUN npm install

CMD [ "app.handler" ]

Build the Docker image in your local environment. You will need to install dependencies using npm:

npm init -y
docker build -t hello-world .

Publish the Docker image to ECR

Publish the Docker image to an ECR repository. It’s a requirement for container images to be published to the ECR repository to run Lambda OCI image functions.

export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
export AWS_REGION=us-west-2

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}
aws ecr create-repository --repository-name hello-world --image-scanning-configuration scanOnPush=true --image-tag-mutability MUTABLE
docker tag  "hello-world:latest ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}"
docker push "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}"

Deploy the Lambda OCI function using the ACK Lambda controller

The following example creates a manifest that contains the Lambda OCI function. It then uses kubectl to create the resource in Kubernetes:

export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
export IMAGE_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION} "
export FUNCTION_NAME="lambda-oci-ack"
export LAMBDA_ROLE="arn:aws:iam::${AWS_ACCOUNT_ID}:role/lambda_basic_execution"

read -r -d '' LAMBDA_MANIFEST <<EOF
kind: Function
 annotations: $AWS_REGION
 packageType: Image
     imageURI: $IMAGE_URI
 description: function created by ACK lambda-controller e2e tests

echo "${LAMBDA_MANIFEST}" > function.yaml

kubectl create -f function.yaml

You should get a confirmation that the function was created successfully. created

To get details about the Lambda function, run the following.

kubectl describe "function/${FUNCTION_NAME}"

Invoke the Lambda OCI Function

After you have verified that the Lambda OCI function is deployed correctly, you can invoke the function through the AWS CLI.

aws lambda invoke --function-name ${FUNCTION_NAME} --region us-west-2 /dev/stdout | jq

You will get the output as below:

{"statusCode":200,"body":"\"Hello from Lambda!\""} 

Next steps

The ACK service controller for Amazon Lambda is based on the Amazon Lambda API.

Refer to API Reference for Lambda to find all the supported Kubernetes custom resources and fields.


You can delete your Lambda OCI function using the kubectl delete command:

kubectl delete -f function.yaml

To remove the Lambda ACK service controller, related CRDs, and namespaces, see ACK Cleanup.

To delete your EKS clusters, see Amazon EKS - Deleting a cluster.

Edit this page on GitHub