Enable Lambda Insights on a Lambda container image deployment
To enable Lambda Insights on a Lambda function that is deployed as a container image, add lines in your Dockerfile. These lines install the Lambda Insights agent as an extension in your container image. The lines to add are different for x86-64 containers and ARM64 containers.
Note
The Lambda Insights agent is supported only on Lambda runtimes that use Amazon Linux 2.
x86-64 container image deployment
To enable Lambda Insights on a Lambda function that is deployed as a container image running on an x86-64 container, add the following lines in your Dockerfile. These lines install the Lambda Insights agent as an extension in your container image.
RUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm && \ rpm -U lambda-insights-extension.rpm && \ rm -f lambda-insights-extension.rpm
After you create your Lambda function, assign the CloudWatchLambdaInsightsExecutionRolePolicy IAM policy to the function's execution role, and Lambda Insights is enabled on the container image-based Lambda function.
Note
To use an older version of the Lambda Insights extension, replace the URL
in the previous commands with this URL: https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.1.0.111.0.rpm
.
Currently, only Lambda Insights versions 1.0.111.0 and later are available. For more information, see Available versions of the Lambda Insights extension.
To verify the signature of the Lambda Insights agent package on a Linux server
Enter the following command to download the public key.
shell$
wget https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/lambda-insights-extension.gpgEnter the following command to import the public key into your keyring.
shell$
gpg --import lambda-insights-extension.gpgThe output will be similar to the following. Make a note of the
key
value, you will need it in the next step. In this example output, the key value is848ABDC8
.gpg: key 848ABDC8: public key "Amazon Lambda Insights Extension" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Verify the fingerprint by entering the following command. Replace
key-value
with the value of the key from the preceding step.shell$
gpg --fingerprint key-valueThe fingerprint string in the output of this command should be
E0AF FA11 FFF3 5BD7 349E E222 479C 97A1 848A BDC8
. If the string doesn't match, don't install the agent and contact AWS.After you have verified the fingerprint, you can use it to verify the Lambda Insights agent package. Download the package signature file by entering the following command.
shell$
wget https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm.sigVerify the signature by entering the following command.
shell$
gpg --verify lambda-insights-extension.rpm.sig lambda-insights-extension.rpmThe output should look like the following:
gpg: Signature made Thu 08 Apr 2021 06:41:00 PM UTC using RSA key ID 848ABDC8 gpg: Good signature from "Amazon Lambda Insights Extension" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E0AF FA11 FFF3 5BD7 349E E222 479C 97A1 848A BDC8
In the expected output, there might be a warning about a trusted signature. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.
If the output contains
BAD signature
, check whether you performed the steps correctly. If you continue to get aBAD signature
response, contact AWS and avoid using the downloaded file.
x86-64 Example
This section includes an example of enabling Lambda Insights on a container image-based Python Lambda function.
An example of enabling Lambda Insights on a Lambda container image
Create a Dockerfile that is similar to the following:
FROM public.ecr.aws/lambda/python:3.8 // extra lines to install the agent here RUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm && \ rpm -U lambda-insights-extension.rpm && \ rm -f lambda-insights-extension.rpm COPY index.py ${LAMBDA_TASK_ROOT} CMD [ "index.handler" ]
Create a Python file named
index.py
that is similar to the following:def handler(event, context): return { 'message': 'Hello World!' }
Put the Dockerfile and
index.py
in the same directory. Then, in that directory, run the following steps to build the docker image and upload it to Amazon ECR.// create an ECR repository aws ecr create-repository --repository-name test-repository // build the docker image docker build -t test-image . // sign in to AWS aws ecr get-login-password | docker login --username AWS --password-stdin "${
ACCOUNT_ID
}".dkr.ecr."${REGION
}".amazonaws.com // tag the image docker tag test-image:latest "${ACCOUNT_ID
}".dkr.ecr."${REGION
}".amazonaws.com/test-repository:latest // push the image to ECR docker push "${ACCOUNT_ID
}".dkr.ecr."${REGION
}".amazonaws.com/test-repository:latestUse that Amazon ECR image that you just created to create the Lambda function.
Assign the CloudWatchLambdaInsightsExecutionRolePolicy IAM policy to the function's execution role.
ARM64 container image deployment
To enable Lambda Insights on a Lambda function that is deployed as a container image running on an AL2_aarch64 container (which uses ARM64 architecture), add the following lines in your Dockerfile. These lines install the Lambda Insights agent as an extension in your container image.
RUN curl -O https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension-arm64.rpm && \ rpm -U lambda-insights-extension-arm64.rpm && \ rm -f lambda-insights-extension-arm64.rpm
After you create your Lambda function, assign the CloudWatchLambdaInsightsExecutionRolePolicy IAM policy to the function's execution role, and Lambda Insights is enabled on the container image-based Lambda function.
Note
To use an older version of the Lambda Insights extension, replace the URL
in the previous commands with this URL:
https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension-arm64.1.0.229.0.rpm
.
Currently, only Lambda Insights versions 1.0.229.0 and later are available. For more information, see Available versions of the Lambda Insights extension.
To verify the signature of the Lambda Insights agent package on a Linux server
Enter the following command to download the public key.
shell$
wget https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com/lambda-insights-extension.gpgEnter the following command to import the public key into your keyring.
shell$
gpg --import lambda-insights-extension.gpgThe output will be similar to the following. Make a note of the
key
value, you will need it in the next step. In this example output, the key value is848ABDC8
.gpg: key 848ABDC8: public key "Amazon Lambda Insights Extension" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Verify the fingerprint by entering the following command. Replace
key-value
with the value of the key from the preceding step.shell$
gpg --fingerprint key-valueThe fingerprint string in the output of this command should be
E0AF FA11 FFF3 5BD7 349E E222 479C 97A1 848A BDC8
. If the string doesn't match, don't install the agent and contact AWS.After you have verified the fingerprint, you can use it to verify the Lambda Insights agent package. Download the package signature file by entering the following command.
shell$
wget https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension-arm64.rpm.sigVerify the signature by entering the following command.
shell$
gpg --verify lambda-insights-extension-arm64.rpm.sig lambda-insights-extension-arm64.rpmThe output should look like the following:
gpg: Signature made Thu 08 Apr 2021 06:41:00 PM UTC using RSA key ID 848ABDC8 gpg: Good signature from "Amazon Lambda Insights Extension" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E0AF FA11 FFF3 5BD7 349E E222 479C 97A1 848A BDC8
In the expected output, there might be a warning about a trusted signature. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.
If the output contains
BAD signature
, check whether you performed the steps correctly. If you continue to get aBAD signature
response, contact AWS and avoid using the downloaded file.
ARM64 Example
This section includes an example of enabling Lambda Insights on a container image-based Python Lambda function.
An example of enabling Lambda Insights on a Lambda container image
Create a Dockerfile that is similar to the following:
FROM public.ecr.aws/lambda/python:3.8 // extra lines to install the agent here RUN curl -O https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension-arm64.rpm && \ rpm -U lambda-insights-extension-arm64.rpm && \ rm -f lambda-insights-extension-arm64.rpm COPY index.py ${LAMBDA_TASK_ROOT} CMD [ "index.handler" ]
Create a Python file named
index.py
that is similar to the following:def handler(event, context): return { 'message': 'Hello World!' }
Put the Dockerfile and
index.py
in the same directory. Then, in that directory, run the following steps to build the docker image and upload it to Amazon ECR.// create an ECR repository aws ecr create-repository --repository-name test-repository // build the docker image docker build -t test-image . // sign in to AWS aws ecr get-login-password | docker login --username AWS --password-stdin "${ACCOUNT_ID}".dkr.ecr."${REGION}".amazonaws.com // tag the image docker tag test-image:latest "${ACCOUNT_ID}".dkr.ecr."${REGION}".amazonaws.com/test-repository:latest // push the image to ECR docker push "${ACCOUNT_ID}".dkr.ecr."${REGION}".amazonaws.com/test-repository:latest
Use that Amazon ECR image that you just created to create the Lambda function.
Assign the CloudWatchLambdaInsightsExecutionRolePolicy IAM policy to the function's execution role.