CreateFunction - AWS Lambda

CreateFunction

Creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.

If the deployment package is a container image, then you set the package type to Image. For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties.

If the deployment package is a .zip file archive, then you set the package type to Zip. For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. The code in the deployment package must be compatible with the target instruction set architecture of the function (x86-64 or arm64). If you do not specify the architecture, then the default value is x86-64.

When you create a function, Lambda provisions an instance of the function and its supporting resources. If your function connects to a VPC, this process can take a minute or so. During this time, you can't invoke or modify the function. The State, StateReason, and StateReasonCode fields in the response from GetFunctionConfiguration indicate when the function is ready to invoke. For more information, see Lambda function states.

A function has an unpublished version, and can have published versions and aliases. The unpublished version changes when you update your function's code and configuration. A published version is a snapshot of your function code and configuration that can't be changed. An alias is a named resource that maps to a version, and can be changed to map to a different version. Use the Publish parameter to create version 1 of your function from its initial configuration.

The other parameters let you configure version-specific and function-level settings. You can modify version-specific settings later with UpdateFunctionConfiguration. Function-level settings apply to both the unpublished and published versions of the function, and include tags (TagResource) and per-function concurrency limits (PutFunctionConcurrency).

You can use code signing if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted publishers for this function.

If another AWS account or an AWS service invokes your function, use AddPermission to grant permission by creating a resource-based AWS Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.

To invoke your function directly, use Invoke. To invoke your function in response to events in other AWS services, create an event source mapping (CreateEventSourceMapping), or configure a function trigger in the other service. For more information, see Invoking Lambda functions.

Request Syntax

POST /2015-03-31/functions HTTP/1.1 Content-type: application/json { "Architectures": [ "string" ], "Code": { "ImageUri": "string", "S3Bucket": "string", "S3Key": "string", "S3ObjectVersion": "string", "SourceKMSKeyArn": "string", "ZipFile": blob }, "CodeSigningConfigArn": "string", "DeadLetterConfig": { "TargetArn": "string" }, "Description": "string", "Environment": { "Variables": { "string" : "string" } }, "EphemeralStorage": { "Size": number }, "FileSystemConfigs": [ { "Arn": "string", "LocalMountPath": "string" } ], "FunctionName": "string", "Handler": "string", "ImageConfig": { "Command": [ "string" ], "EntryPoint": [ "string" ], "WorkingDirectory": "string" }, "KMSKeyArn": "string", "Layers": [ "string" ], "LoggingConfig": { "ApplicationLogLevel": "string", "LogFormat": "string", "LogGroup": "string", "SystemLogLevel": "string" }, "MemorySize": number, "PackageType": "string", "Publish": boolean, "Role": "string", "Runtime": "string", "SnapStart": { "ApplyOn": "string" }, "Tags": { "string" : "string" }, "Timeout": number, "TracingConfig": { "Mode": "string" }, "VpcConfig": { "Ipv6AllowedForDualStack": boolean, "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ] } }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Architectures

The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is x86_64.

Type: Array of strings

Array Members: Fixed number of 1 item.

Valid Values: x86_64 | arm64

Required: No

Code

The code for the function.

Type: FunctionCode object

Required: Yes

CodeSigningConfigArn

To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.

Type: String

Length Constraints: Maximum length of 200.

Pattern: arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1}:\d{12}:code-signing-config:csc-[a-z0-9]{17}

Required: No

DeadLetterConfig

A dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, see Dead-letter queues.

Type: DeadLetterConfig object

Required: No

Description

A description of the function.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Required: No

Environment

Environment variables that are accessible from function code during execution.

Type: Environment object

Required: No

EphemeralStorage

The size of the function's /tmp directory in MB. The default value is 512, but can be any whole number between 512 and 10,240 MB. For more information, see Configuring ephemeral storage (console).

Type: EphemeralStorage object

Required: No

FileSystemConfigs

Connection settings for an Amazon EFS file system.

Type: Array of FileSystemConfig objects

Array Members: Maximum number of 1 item.

Required: No

FunctionName

The name or ARN of the Lambda function.

Name formats
  • Function namemy-function.

  • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.

  • Partial ARN123456789012:function:my-function.

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 140.

Pattern: (arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}(-gov)?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?

Required: Yes

Handler

The name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see Lambda programming model.

Type: String

Length Constraints: Maximum length of 128.

Pattern: [^\s]+

Required: No

ImageConfig

Container image configuration values that override the values in the container image Dockerfile.

Type: ImageConfig object

Required: No

KMSKeyArn

The ARN of the AWS Key Management Service (AWS KMS) customer managed key that's used to encrypt the following resources:

  • The function's environment variables.

  • The function's Lambda SnapStart snapshots.

  • When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see Specifying a customer managed key for Lambda.

  • The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

If you don't provide a customer managed key, Lambda uses an AWS owned key or an AWS managed key.

Type: String

Pattern: (arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()

Required: No

Layers

A list of function layers to add to the function's execution environment. Specify each layer by its ARN, including the version.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 140.

Pattern: arn:[a-zA-Z0-9-]+:lambda:[a-zA-Z0-9-]+:\d{12}:layer:[a-zA-Z0-9-_]+:[0-9]+

Required: No

LoggingConfig

The function's Amazon CloudWatch Logs configuration settings.

Type: LoggingConfig object

Required: No

MemorySize

The amount of memory available to the function at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.

Type: Integer

Valid Range: Minimum value of 128. Maximum value of 10240.

Required: No

PackageType

The type of deployment package. Set to Image for container image and set to Zip for .zip file archive.

Type: String

Valid Values: Zip | Image

Required: No

Publish

Set to true to publish the first version of the function during creation.

Type: Boolean

Required: No

Role

The Amazon Resource Name (ARN) of the function's execution role.

Type: String

Pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+

Required: Yes

Runtime

The identifier of the function's runtime. Runtime is required if the deployment package is a .zip file archive. Specifying a runtime results in an error if you're deploying a function using a container image.

The following list includes deprecated runtimes. Lambda blocks creating new functions and updating existing functions shortly after each runtime is deprecated. For more information, see Runtime use after deprecation.

For a list of all currently supported runtimes, see Supported runtimes.

Type: String

Valid Values: nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | dotnet8 | nodejs4.3-edge | go1.x | ruby2.5 | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | ruby3.2 | ruby3.3 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21 | python3.13 | nodejs22.x

Required: No

SnapStart

The function's SnapStart setting.

Type: SnapStart object

Required: No

Tags

A list of tags to apply to the function.

Type: String to string map

Required: No

Timeout

The amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, see Lambda execution environment.

Type: Integer

Valid Range: Minimum value of 1.

Required: No

TracingConfig

Set Mode to Active to sample and trace a subset of incoming requests with X-Ray.

Type: TracingConfig object

Required: No

VpcConfig

For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, see Configuring a Lambda function to access resources in a VPC.

Type: VpcConfig object

Required: No

Response Syntax

HTTP/1.1 201 Content-type: application/json { "Architectures": [ "string" ], "CodeSha256": "string", "CodeSize": number, "DeadLetterConfig": { "TargetArn": "string" }, "Description": "string", "Environment": { "Error": { "ErrorCode": "string", "Message": "string" }, "Variables": { "string" : "string" } }, "EphemeralStorage": { "Size": number }, "FileSystemConfigs": [ { "Arn": "string", "LocalMountPath": "string" } ], "FunctionArn": "string", "FunctionName": "string", "Handler": "string", "ImageConfigResponse": { "Error": { "ErrorCode": "string", "Message": "string" }, "ImageConfig": { "Command": [ "string" ], "EntryPoint": [ "string" ], "WorkingDirectory": "string" } }, "KMSKeyArn": "string", "LastModified": "string", "LastUpdateStatus": "string", "LastUpdateStatusReason": "string", "LastUpdateStatusReasonCode": "string", "Layers": [ { "Arn": "string", "CodeSize": number, "SigningJobArn": "string", "SigningProfileVersionArn": "string" } ], "LoggingConfig": { "ApplicationLogLevel": "string", "LogFormat": "string", "LogGroup": "string", "SystemLogLevel": "string" }, "MasterArn": "string", "MemorySize": number, "PackageType": "string", "RevisionId": "string", "Role": "string", "Runtime": "string", "RuntimeVersionConfig": { "Error": { "ErrorCode": "string", "Message": "string" }, "RuntimeVersionArn": "string" }, "SigningJobArn": "string", "SigningProfileVersionArn": "string", "SnapStart": { "ApplyOn": "string", "OptimizationStatus": "string" }, "State": "string", "StateReason": "string", "StateReasonCode": "string", "Timeout": number, "TracingConfig": { "Mode": "string" }, "Version": "string", "VpcConfig": { "Ipv6AllowedForDualStack": boolean, "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ], "VpcId": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 201 response.

The following data is returned in JSON format by the service.

Architectures

The instruction set architecture that the function supports. Architecture is a string array with one of the valid values. The default architecture value is x86_64.

Type: Array of strings

Array Members: Fixed number of 1 item.

Valid Values: x86_64 | arm64

CodeSha256

The SHA256 hash of the function's deployment package.

Type: String

CodeSize

The size of the function's deployment package, in bytes.

Type: Long

DeadLetterConfig

The function's dead letter queue.

Type: DeadLetterConfig object

Description

The function's description.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Environment

The function's environment variables. Omitted from AWS CloudTrail logs.

Type: EnvironmentResponse object

EphemeralStorage

The size of the function's /tmp directory in MB. The default value is 512, but can be any whole number between 512 and 10,240 MB. For more information, see Configuring ephemeral storage (console).

Type: EphemeralStorage object

FileSystemConfigs

Connection settings for an Amazon EFS file system.

Type: Array of FileSystemConfig objects

Array Members: Maximum number of 1 item.

FunctionArn

The function's Amazon Resource Name (ARN).

Type: String

Pattern: arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}(-gov)?-[a-z]+-\d{1}:\d{12}:function:[a-zA-Z0-9-_\.]+(:(\$LATEST|[a-zA-Z0-9-_]+))?

FunctionName

The name of the function.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 170.

Pattern: (arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}(-gov)?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_\.]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?

Handler

The function that Lambda calls to begin running your function.

Type: String

Length Constraints: Maximum length of 128.

Pattern: [^\s]+

ImageConfigResponse

The function's image configuration values.

Type: ImageConfigResponse object

KMSKeyArn

The ARN of the AWS Key Management Service (AWS KMS) customer managed key that's used to encrypt the following resources:

  • The function's environment variables.

  • The function's Lambda SnapStart snapshots.

  • When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see Specifying a customer managed key for Lambda.

  • The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

If you don't provide a customer managed key, Lambda uses an AWS owned key or an AWS managed key.

Type: String

Pattern: (arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()

LastModified

The date and time that the function was last updated, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD).

Type: String

LastUpdateStatus

The status of the last update that was performed on the function. This is first set to Successful after function creation completes.

Type: String

Valid Values: Successful | Failed | InProgress

LastUpdateStatusReason

The reason for the last update that was performed on the function.

Type: String

LastUpdateStatusReasonCode

The reason code for the last update that was performed on the function.

Type: String

Valid Values: EniLimitExceeded | InsufficientRolePermissions | InvalidConfiguration | InternalError | SubnetOutOfIPAddresses | InvalidSubnet | InvalidSecurityGroup | ImageDeleted | ImageAccessDenied | InvalidImage | KMSKeyAccessDenied | KMSKeyNotFound | InvalidStateKMSKey | DisabledKMSKey | EFSIOError | EFSMountConnectivityError | EFSMountFailure | EFSMountTimeout | InvalidRuntime | InvalidZipFileException | FunctionError

Layers

The function's layers.

Type: Array of Layer objects

LoggingConfig

The function's Amazon CloudWatch Logs configuration settings.

Type: LoggingConfig object

MasterArn

For Lambda@Edge functions, the ARN of the main function.

Type: String

Pattern: arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}(-gov)?-[a-z]+-\d{1}:\d{12}:function:[a-zA-Z0-9-_]+(:(\$LATEST|[a-zA-Z0-9-_]+))?

MemorySize

The amount of memory available to the function at runtime.

Type: Integer

Valid Range: Minimum value of 128. Maximum value of 10240.

PackageType

The type of deployment package. Set to Image for container image and set Zip for .zip file archive.

Type: String

Valid Values: Zip | Image

RevisionId

The latest updated revision of the function or alias.

Type: String

Role

The function's execution role.

Type: String

Pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+

Runtime

The identifier of the function's runtime. Runtime is required if the deployment package is a .zip file archive. Specifying a runtime results in an error if you're deploying a function using a container image.

The following list includes deprecated runtimes. Lambda blocks creating new functions and updating existing functions shortly after each runtime is deprecated. For more information, see Runtime use after deprecation.

For a list of all currently supported runtimes, see Supported runtimes.

Type: String

Valid Values: nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | dotnet8 | nodejs4.3-edge | go1.x | ruby2.5 | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | ruby3.2 | ruby3.3 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21 | python3.13 | nodejs22.x

RuntimeVersionConfig

The ARN of the runtime and any errors that occured.

Type: RuntimeVersionConfig object

SigningJobArn

The ARN of the signing job.

Type: String

Pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)

SigningProfileVersionArn

The ARN of the signing profile version.

Type: String

Pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)

SnapStart

Set ApplyOn to PublishedVersions to create a snapshot of the initialized execution environment when you publish a function version. For more information, see Improving startup performance with Lambda SnapStart.

Type: SnapStartResponse object

State

The current state of the function. When the state is Inactive, you can reactivate the function by invoking it.

Type: String

Valid Values: Pending | Active | Inactive | Failed

StateReason

The reason for the function's current state.

Type: String

StateReasonCode

The reason code for the function's current state. When the code is Creating, you can't invoke or modify the function.

Type: String

Valid Values: Idle | Creating | Restoring | EniLimitExceeded | InsufficientRolePermissions | InvalidConfiguration | InternalError | SubnetOutOfIPAddresses | InvalidSubnet | InvalidSecurityGroup | ImageDeleted | ImageAccessDenied | InvalidImage | KMSKeyAccessDenied | KMSKeyNotFound | InvalidStateKMSKey | DisabledKMSKey | EFSIOError | EFSMountConnectivityError | EFSMountFailure | EFSMountTimeout | InvalidRuntime | InvalidZipFileException | FunctionError

Timeout

The amount of time in seconds that Lambda allows a function to run before stopping it.

Type: Integer

Valid Range: Minimum value of 1.

TracingConfig

The function's AWS X-Ray tracing configuration.

Type: TracingConfigResponse object

Version

The version of the Lambda function.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: (\$LATEST|[0-9]+)

VpcConfig

The function's networking configuration.

Type: VpcConfigResponse object

Errors

For information about the errors that are common to all actions, see Common Errors.

CodeSigningConfigNotFoundException

The specified code signing configuration does not exist.

HTTP Status Code: 404

CodeStorageExceededException

Your AWS account has exceeded its maximum total code size. For more information, see Lambda quotas.

HTTP Status Code: 400

CodeVerificationFailedException

The code signature failed one or more of the validation checks for signature mismatch or expiry, and the code signing policy is set to ENFORCE. Lambda blocks the deployment.

HTTP Status Code: 400

InvalidCodeSignatureException

The code signature failed the integrity check. If the integrity check fails, then Lambda blocks deployment, even if the code signing policy is set to WARN.

HTTP Status Code: 400

InvalidParameterValueException

One of the parameters in the request is not valid.

HTTP Status Code: 400

ResourceConflictException

The resource already exists, or another operation is in progress.

HTTP Status Code: 409

ResourceNotFoundException

The resource specified in the request does not exist.

HTTP Status Code: 404

ServiceException

The AWS Lambda service encountered an internal error.

HTTP Status Code: 500

TooManyRequestsException

The request throughput limit was exceeded. For more information, see Lambda quotas.

HTTP Status Code: 429

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: