AWS::Serverless::Function
Creates an AWS Lambda function, an AWS Identity and Access Management (IAM) execution role, and event source mappings that trigger the function.
The AWS::Serverless::Function resource also supports the Metadata
resource attribute, so you can instruct AWS SAM to build custom runtimes that your
application requires. For more information about building custom runtimes, see Building custom runtimes.
Syntax
To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.
YAML
Type: AWS::Serverless::Function Properties: AssumeRolePolicyDocument:
JSON
AutoPublishAlias:String
AutoPublishCodeSha256:String
CodeSigningConfigArn:String
CodeUri:String | FunctionCode
DeadLetterQueue:Map | DeadLetterQueue
DeploymentPreference:DeploymentPreference
Description:String
Environment:Environment
EventInvokeConfig:EventInvokeConfiguration
Events:EventSource
FileSystemConfigs:List
FunctionName:String
Handler:String
ImageConfig:ImageConfig
ImageUri:String
InlineCode:String
KmsKeyArn:String
Layers:List
MemorySize:Integer
PackageType:String
PermissionsBoundary:String
Policies:String | List | Map
ProvisionedConcurrencyConfig:ProvisionedConcurrencyConfig
ReservedConcurrentExecutions:Integer
Role:String
Runtime:String
Tags:Map
Timeout:Integer
Tracing:String
VersionDescription:String
VpcConfig:VpcConfig
Properties
-
AssumeRolePolicyDocument
-
Adds an AssumeRolePolicyDocument for the default created
Role
for this function. If this property isn't specified, AWS SAM adds a default assume role for this function.Type: JSON
Required: No
AWS CloudFormation compatibility: This property is similar to the
AssumeRolePolicyDocument
property of anAWS::IAM::Role
resource. AWS SAM adds this property to the generated IAM role for this function. If a role's Amazon Resource Name (ARN) is provided for this function, this property does nothing. -
AutoPublishAlias
-
The name of the Lambda alias. For more information about Lambda aliases, see Lambda function aliases in the AWS Lambda Developer Guide. For examples that use this property, see Deploying serverless applications gradually.
AWS SAM generates AWS::Lambda::Version and AWS::Lambda::Alias resources when this property is set. For information about this scenario, see AutoPublishAlias property is specified. For general information about generated AWS CloudFormation resources, see Generated AWS CloudFormation resources.
Type: String
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
-
AutoPublishCodeSha256
-
The string value that is used, along with the value in
CodeUri
, to determine whether a new Lambda version should be published.This property addresses a problem that occurs when an AWS SAM template has the following characteristics: the
DeploymentPreference
object is configured for gradual deployments (as described in Deploying serverless applications gradually), theAutoPublishAlias
property is set and doesn't change between deployments, and theCodeUri
property is set and doesn't change between deployments.This scenario can occur when the deployment package stored in an Amazon Simple Storage Service (Amazon S3) location is replaced by a new deployment package that contains updated Lambda function code, but the
CodeUri
property remains unchanged (as opposed to the new deployment package being uploaded to a new Amazon S3 location and theCodeUri
being changed to the new location).In this scenario, to trigger the gradual deployment successfully, you must provide a unique value for
AutoPublishCodeSha256
.Type: String
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
-
CodeSigningConfigArn
-
The ARN of the AWS::Lambda::CodeSigningConfig resource, used to enable code signing for this function. For more information about code signing, see Configuring code signing for AWS SAM applications.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
CodeSigningConfigArn
property of anAWS::Lambda::Function
resource. -
CodeUri
-
The function code's Amazon S3 URI, local file path, or FunctionCode object.
If an Amazon S3 URI or FunctionCode object is provided, the Amazon S3 object referenced must be a valid Lambda deployment package.
If a local file path is provided, for the code to be transformed properly the template must go through the workflow that includes the
sam deploy
orsam package
command.Note: Either
CodeUri
orInlineCode
is required.Type: String | FunctionCode
Required: Conditional
AWS CloudFormation compatibility: This property is similar to the
Code
property of anAWS::Lambda::Function
resource. The nested Amazon S3 properties are named differently. -
DeadLetterQueue
-
Configures an Amazon Simple Notification Service (Amazon SNS) topic or Amazon Simple Queue Service (Amazon SQS) queue where Lambda sends events that it can't process. For more information about dead-letter queue functionality, see AWS Lambda function dead letter queues in the AWS Lambda Developer Guide.
Type: Map | DeadLetterQueue
Required: No
AWS CloudFormation compatibility: This property is similar to the
DeadLetterConfig
property of anAWS::Lambda::Function
resource. In AWS CloudFormation the type is derived from theTargetArn
, whereas in AWS SAM you must pass the type along with theTargetArn
. -
DeploymentPreference
-
The settings to enable gradual Lambda deployments.
If a
DeploymentPreference
object is specified, AWS SAM creates an AWS::CodeDeploy::Application calledServerlessDeploymentApplication
(one per stack), an AWS::CodeDeploy::DeploymentGroup called
, and an AWS::IAM::Role called<function-logical-id>
DeploymentGroupCodeDeployServiceRole
.Type: DeploymentPreference
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
See also: For more information about this property, see Deploying serverless applications gradually.
-
Description
-
A description of the function.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
Description
property of anAWS::Lambda::Function
resource. -
Environment
-
The configuration for the runtime environment.
Type: Environment
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
Environment
property of anAWS::Lambda::Function
resource. -
EventInvokeConfig
-
The object that describes event invoke configuration on a Lambda function.
Type: EventInvokeConfiguration
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
-
Events
-
Specifies the events that trigger this function. Events consist of a type and a set of properties that depend on the type.
Type: EventSource
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
-
FileSystemConfigs
-
List of FileSystemConfig objects that specify the connection settings for an Amazon Elastic File System (Amazon EFS) file system.
If your template contains an AWS::EFS::MountTarget resource, you must also specify a
DependsOn
resource attribute to ensure that the mount target is created or updated before the function.Type: List
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
FileSystemConfigs
property of anAWS::Lambda::Function
resource. -
FunctionName
-
A name for the function. If you don't specify a name, a unique name is generated for you.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
FunctionName
property of anAWS::Lambda::Function
resource. -
Handler
-
The function within your code that is called to begin execution. This property is only required if the
PackageType
property is set toZip
.Type: String
Required: Conditional
AWS CloudFormation compatibility: This property is passed directly to the
Handler
property of anAWS::Lambda::Function
resource. -
ImageConfig
-
The object used to configure Lambda container image settings. For more information, see Using container images with Lambda in the AWS Lambda Developer Guide.
Type: ImageConfig
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
ImageConfig
property of anAWS::Lambda::Function
resource. -
ImageUri
-
The URI of the Amazon Elastic Container Registry (Amazon ECR) repository for the Lambda function's container image. For more information, see Using container images with Lambda in the AWS Lambda Developer Guide.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
ImageUri
property of theAWS::Lambda::Function
Code
data type. -
InlineCode
-
The Lambda function code that is written directly in the template.
Note: Either
CodeUri
orInlineCode
is required.Type: String
Required: Conditional
AWS CloudFormation compatibility: This property is passed directly to the
ZipFile
property of theAWS::Lambda::Function
Code
data type. -
KmsKeyArn
-
The ARN of an AWS Key Management Service (AWS KMS) key that Lambda uses to encrypt and decrypt your function's environment variables.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
KmsKeyArn
property of anAWS::Lambda::Function
resource. -
Layers
-
The list of
LayerVersion
ARNs that this function should use. The order specified here is the order in which they will be imported when running the Lambda function.Type: List
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
Layers
property of anAWS::Lambda::Function
resource. -
MemorySize
-
The size of the memory in MB allocated per invocation of the function.
Type: Integer
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
MemorySize
property of anAWS::Lambda::Function
resource. -
PackageType
-
The deployment package type of the Lambda function. For more information, see Lambda deployment packages in the AWS Lambda Developer Guide.
Valid values:
Zip
orImage
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
PackageType
property of anAWS::Lambda::Function
resource. -
PermissionsBoundary
-
The ARN of a permissions boundary to use for this function's execution role. This property works only if the role is generated for you.
Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
PermissionsBoundary
property of anAWS::IAM::Role
resource. -
Policies
-
One or more policies that this function needs. They will be appended to the default role for this function.
This property accepts a single string or a list of strings, and can be the name of AWS managed policies or AWS SAM policy templates, or inline IAM policy documents formatted in YAML.
For more information about AWS managed policies, see AWS managed policies in the IAM User Guide. For more information about AWS SAM policy templates, see AWS SAM policy templates in the AWS Serverless Application Model Developer Guide. For more information about inline policies, see Inline policies in the IAM User Guide.
Note: If the
Role
property is set, this property is ignored.Type: String | List | Map
Required: No
AWS CloudFormation compatibility: This property is similar to the
Policies
property of anAWS::IAM::Role
resource. AWS SAM supports AWS managed policy names and AWS SAM policy templates, in addition to JSON policy documents. AWS CloudFormation accepts only JSON policy documents. -
ProvisionedConcurrencyConfig
-
The provisioned concurrency configuration of a function's alias.
Note:
ProvisionedConcurrencyConfig
can be specified only if theAutoPublishAlias
is set. Otherwise, an error results.Type: ProvisionedConcurrencyConfig
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
ProvisionedConcurrencyConfig
property of anAWS::Lambda::Alias
resource. -
ReservedConcurrentExecutions
-
The maximum number of concurrent executions that you want to reserve for the function.
For more information about this property, see AWS Lambda Function Scaling in the AWS Lambda Developer Guide.
Type: Integer
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
ReservedConcurrentExecutions
property of anAWS::Lambda::Function
resource. -
Role
-
The ARN of an IAM role to use as this function's execution role.
Type: String
Required: No
AWS CloudFormation compatibility: This property is similar to the
Role
property of anAWS::Lambda::Function
resource. This is required in AWS CloudFormation but not in AWS SAM. If a role isn't specified, one is created for you with a logical ID of
.<function-logical-id>
Role -
Runtime
-
The identifier of the function's runtime. This property is only required if the
PackageType
property is set toZip
.Note: If you specify the
provided
identifier for this property, you can use theMetadata
resource attribute to instruct AWS SAM to build the custom runtime that this function requires. For more information about building custom runtimes, see Building custom runtimes.Type: String
Required: Conditional
AWS CloudFormation compatibility: This property is passed directly to the
Runtime
property of anAWS::Lambda::Function
resource. -
Tags
-
A map (string to string) that specifies the tags added to the Lambda function and the corresponding execution role. Keys and values are limited to alphanumeric characters. Keys can be 1 to 127 Unicode characters in length and cannot be prefixed with
aws:
. Values can be 1 to 255 Unicode characters in length.Type: Map
Required: No
AWS CloudFormation compatibility: This property is similar to the
Tags
property of anAWS::Lambda::Function
resource. TheTags
property in AWS SAM consists of key-value pairs. In AWS CloudFormation it consists of a list ofTag
objects. When the stack is created, AWS SAM automatically adds alambda:createdBy:SAM
tag to this Lambda function and the corresponding execution role. -
Timeout
-
The maximum time in seconds that the function can run before it is stopped.
Type: Integer
Required: No
Default: 3
AWS CloudFormation compatibility: This property is passed directly to the
Timeout
property of anAWS::Lambda::Function
resource. -
Tracing
-
The string that specifies the function's X-Ray tracing mode. For more information about X-Ray, see Using AWS Lambda with AWS X-Ray in the AWS Lambda Developer Guide.
Valid values:
Active
orPassThrough
Type: String
Required: No
AWS CloudFormation compatibility: This property is similar to the
TracingConfig
property of anAWS::Lambda::Function
resource. If theTracing
property is set toActive
and theRole
property is not specified, then AWS SAM adds thearn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
policy to the Lambda execution role that it creates for you. -
VersionDescription
-
Specifies the
Description
field that is added on the new Lambda version resource.Type: String
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
Description
property of anAWS::Lambda::Version
resource. -
VpcConfig
-
The configuration that enables this function to access private resources within your virtual private cloud (VPC).
Type: VpcConfig
Required: No
AWS CloudFormation compatibility: This property is passed directly to the
VpcConfig
property of anAWS::Lambda::Function
resource.
Return Values
Ref
When the logical ID of this resource is provided to the Ref
intrinsic function, it returns the resource name of the underlying Lambda function.
For more information about using the Ref
function, see Ref
in the AWS CloudFormation User Guide.
Fn::GetAtt
Fn::GetAtt
returns a value for a specified attribute of this type. The following are
the available attributes and sample return values.
For more information about using Fn::GetAtt
, see Fn::GetAtt
in the AWS CloudFormation User Guide.
Examples
Simple function
The following is a basic example of an AWS::Serverless::Function resource.
YAML
Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: python3.6 CodeUri: s3://bucket/key
Function properties example
The following is an example of an AWS::Serverless::Function that uses InlineCode
, Layers
, Tracing
, Policies
, Amazon EFS
, and an Api
event source.
YAML
Type: AWS::Serverless::Function DependsOn: MyMountTarget # This is needed if an AWS::EFS::MountTarget resource is declared for EFS Properties: Handler: index.handler Runtime: python3.6 InlineCode: | def handler(event, context): print("Hello, world!") ReservedConcurrentExecutions: 30 Layers: - Ref: MyLayer Tracing: Active Timeout: 120 FileSystemConfigs: - Arn: !Ref MyEfsFileSystem LocalMountPath: /mnt/EFS Policies: - AWSLambdaExecute - Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:GetObjectACL Resource: 'arn:aws:s3:::my-bucket/*' Events: ApiEvent: Type: Api Properties: Path: /path Method: get
ImageConfig example
The following is an example of an ImageConfig
for a Lambda function of package type Image
.
YAML
HelloWorldFunction: Type: AWS::Serverless::Function Properties: PackageType: Image ImageConfig: Command: - "
app.lambda_handler
" EntryPoint: - "entrypoint1
" WorkingDirectory: "workDir
"