Creating and managing Lambda function URLs - AWS Lambda

Creating and managing Lambda function URLs

A function URL is a dedicated HTTP(S) endpoint for your Lambda function. You can create and configure a function URL through the Lambda console or the Lambda API. When you create a function URL, Lambda automatically generates a unique URL endpoint for you. Function URL endpoints have the following format:

https://<url-id>.lambda-url.<region>.on.aws

Lambda generates the <url-id> portion of the endpoint based on a number of factors, including your AWS account ID. Because this process is deterministic, it may be possible for anyone to retrieve your account ID from the <url-id>.

Creating a function URL (console)

Follow these steps to create a function URL using the console.

  1. Open the Functions page of the Lambda console.

  2. Choose the name of the function that you want to create the function URL for.

  3. Choose the Configuration tab, and then choose Function URL.

  4. Choose Create function URL.

  5. For Auth type, choose AWS_IAM or NONE. For more information about function URL authentication, see Security and auth model.

  6. (Optional) Select Configure cross-origin resource sharing (CORS), and then configure the CORS settings for your function URL. For more information about CORS, see Cross-origin resource sharing (CORS).

  7. Choose Save.

This creates a function URL for the $LATEST unpublished version of your function. The function URL appears in the Function overview section of the console.

  1. Open the Functions page of the Lambda console.

  2. Choose the name of the function with the alias that you want to create the function URL for.

  3. Choose the Aliases tab, and then choose the name of the alias that you want to create the function URL for.

  4. Choose the Configuration tab, and then choose Function URL.

  5. Choose Create function URL.

  6. For Auth type, choose AWS_IAM or NONE. For more information about function URL authentication, see Security and auth model.

  7. (Optional) Select Configure cross-origin resource sharing (CORS), and then configure the CORS settings for your function URL. For more information about CORS, see Cross-origin resource sharing (CORS).

  8. Choose Save.

This creates a function URL for your function alias. The function URL appears in the console's Function overview section for your alias.

To create a new function with a function URL (console)

  1. Open the Functions page of the Lambda console.

  2. Choose Create function.

  3. Under Basic information, do the following:

    1. For Function name, enter a name for your function, such as my-function.

    2. For Runtime, choose the language runtime that you prefer, such as Node.js 14.x.

    3. For Architecture, choose either x86_64 or arm64.

    4. Expand Permissions, then choose whether to create a new execution role or use an existing one.

  4. Expand Advanced settings, and then select Function URL.

  5. For Auth type, choose AWS_IAM or NONE. For more information about function URL authentication, see Security and auth model.

  6. (Optional) Select Configure cross-origin resource sharing (CORS). By selecting this option during function creation, your function URL allows requests from all origins by default. You can edit the CORS settings for your function URL after creating the function. For more information about CORS, see Cross-origin resource sharing (CORS).

  7. Choose Create function.

This creates a new function with a function URL for the $LATEST unpublished version of the function. The function URL appears in the Function overview section of the console.

Creating a function URL (AWS CLI)

To create a function URL for an existing Lambda function using the AWS Command Line Interface (AWS CLI), run the following command:

aws lambda create-function-url-config \ --function-name my-function \ --qualifier prod \ // optional --auth-type AWS_IAM --cors-config {AllowOrigins="https://example.com"} // optional

This adds a function URL to the prod qualifier for the function my-function. For more information about these configuration parameters, see CreateFunctionUrlConfig in the API reference.

Note

To create a function URL via the AWS CLI, the function must already exist.

Adding a function URL to a CloudFormation template

To add an AWS::Lambda::Url resource to your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Lambda::Url", "Properties" : { "AuthType" : String, "Cors" : Cors, "Qualifier" : String, "TargetFunctionArn" : String } }

YAML

Type: AWS::Lambda::Url Properties: AuthType: String Cors: Cors Qualifier: String TargetFunctionArn: String

Parameters

  • (Required) AuthType – Defines the type of authentication for your function URL. Possible values are either AWS_IAM or NONE. To restrict access to authenticated IAM users only, set to AWS_IAM. To bypass IAM authentication and allow any user to make requests to your function, set to NONE.

  • (Optional) Cors – Defines the CORS settings for your function URL. To add Cors to your AWS::Lambda::Url resource in CloudFormation, use the following syntax.

    Example AWS::Lambda::Url.Cors (JSON)

    { "AllowCredentials" : Boolean, "AllowHeaders" : [ String, ... ], "AllowMethods" : [ String, ... ], "AllowOrigins" : [ String, ... ], "ExposeHeaders" : [ String, ... ], "MaxAge" : Integer }

    Example AWS::Lambda::Url.Cors (YAML)

    AllowCredentials: Boolean AllowHeaders: - String AllowMethods: - String AllowOrigins: - String ExposeHeaders: - String MaxAge: Integer
  • (Optional) Qualifier – The alias name.

  • (Required) TargetFunctionArn – The name or Amazon Resource Name (ARN) of the Lambda function. Valid name formats include the following:

    • Function namemy-function

    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function

    • Partial ARN123456789012:function:my-function

Cross-origin resource sharing (CORS)

To define how different origins can access your function URL, use cross-origin resource sharing (CORS). We recommend configuring CORS if you intend to call your function URL from a different domain. Lambda supports the following CORS headers for function URLs.

CORS header CORS configuration property Example values

Access-Control-Allow-Origin

AllowOrigins

* (allow all origins)

https://www.example.com

http://localhost:60905

Access-Control-Allow-Methods

AllowMethods

GET, POST, DELETE, *

Access-Control-Allow-Headers

AllowHeaders

Date, Keep-Alive, X-Custom-Header

Access-Control-Expose-Headers

ExposeHeaders

Date, Keep-Alive, X-Custom-Header

Access-Control-Allow-Credentials

AllowCredentials

TRUE

Access-Control-Max-Age

MaxAge

5 (default), 300

When you configure CORS for a function URL using the Lambda console or the AWS CLI, Lambda automatically adds the CORS headers to all responses through the function URL. Alternatively, you can manually add CORS headers to your function response. If there are conflicting headers, the configured CORS headers on the function URL take precedence.

Throttling function URLs

Throttling limits the rate at which your function processes requests. This is useful in many situations, such as preventing your function from overloading downstream resources, or handling a sudden surge in requests.

You can throttle the rate of requests that your Lambda function processes through a function URL by configuring reserved concurrency. Reserved concurrency limits the number of maximum concurrent invocations for your function. Your function's maximum request rate per second (RPS) is equivalent to 10 times the configured reserved concurrency. For example, if you configure your function with a reserved concurrency of 100, then the maximum RPS is 1,000.

Whenever your function concurrency exceeds the reserved concurrency, your function URL returns an HTTP 429 status code. If your function receives a request that exceeds the 10x RPS maximum based on your configured reserved concurrency, you also receive an HTTP 429 error. For more information about reserved concurrency, see Managing Lambda reserved concurrency.

Deactivating function URLs

In an emergency, you might want to reject all traffic to your function URL. To deactivate your function URL, set the reserved concurrency to zero. This throttles all requests to your function URL, resulting in HTTP 429 status responses. To reactivate your function URL, delete the reserved concurrency configuration, or set the configuration to an amount greater than zero.