STS AssumeRole Support for Invoking Lambda Functions in WSO2 API Manager

Latest WSO2 API Manager supports AWS STS AssumeRole to invoke cross-account Lambda functions. Note that this feature is available from 27th July 2022 according to WSO2 APIM docs.

1. Create REST API without an endpoint URL

2. Add AWS Lambda Endpoint

3. Select access method

There are two options to select to retrieve credentials for invoking Lambda functions. If API Manager is deployed on AWS EC2/ECS instance the recommended way is to select option 1. Otherwise you can select option 2.

Option 1: Using IAM role-supplied temporary AWS credentials

Note: In this option make sure that IAM role with IAM policy with necessary permissions is attached to the EC2 instance.

Option 2: Using stored AWS credentials

Note: In this option it is not recommended to enter root credentials of the AWS account. Instead create a separate user account with IAM policy with necessary permissions, then enter credentials of that account.

Access Key — Access Key of the user
Secret Key — Secret Key of the user
Region — Region of AWS STS endpoint

Currently, Global endpoint is not supported. Also, according to AWS docs, “AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity”. Hence, select a valid region from the list.

4. Configure STS AssumeRole

Check Enable STS AssumeRole and enter required values to configure STS AssumeRole.

Role ARN — Amazon Resource Name of the role to be assumed
Role Session Name — String value to identify the session
Region — Region of AWS Lambda functions

Click on Save button.

5. Configure resources

Go to Resources page and set Lambda function ARN for each resource. Then click on Save.

6. Deploy and publish API

Go to Deployments page and click on Deploy button. Then go to Lifecycle page and publish the API. Now you can subscribe to the API and invoke the lambda function in Devportal.

That’s it! Thanks for reading my article.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Binod Karunanayake

Binod Karunanayake

BSc Engineering (Hons) Department of Computer Science and Engineering of University of Moratuwa | Software Engineer @WSO2