Skip to content

Execution

Permissions

  • Lambda needs a trust policy that trusts that lambda and a permissions policy to execute within an environment
  • A Lambda implicitly trusts the account it is created in. So any identity who's idenity policy allows execution of lambda, is able to execute the lambda
  • In case of cross account access, this implicit trust is missing. Hence Lambda needs to have resource policy that allows specifc account persmissions to execute it.
  • If a service within the same account needs to excute lambda, without assuming a role ..it needs to be given permissions using resource policy

Logging

  • Lambda uses CW, CWLogs & Xray for logging
  • Any logs generated during execution goes to CWLogs. Permissions need to be given to the execution role for this
  • Any Metrics goto CW
  • XRay can be added for distributed tracing

Invocation

  • The lambda invocations cycle consists of phases

  • Init Phase

    • Extension Init
    • Runtime Init
    • Function Init

  • Invoke Phase

    • First invocation is a cold start
    • If multiple invocations happen in a short duration then warm starts happen
    • Part outside the hadler part of function, is the initialization logic
    • Initialization code is invoked only once during cold start & not rerun in warm start
    • Anything that we want to be reused should be put in initialization part
    • Lambda function should always assume a cold start, but if a warm start happens then it should take advantage of the pre initialized resources

  • Shutdown Phase

    • Runtime Shutdown
    • Extension Shutdown

Synchronous Invocation

  • API or Command Line invoke the lambda in a blocking way.
  • A client through an API gateway can also invoke lambda in synchronous fashion
  • Results are returned directly to the caller
  • Errors need to be handled by client

Asynchronous Invocation

  • Typically used when an AWS service invokes the lambda
  • On failure, Lambda can reprocess 2 more tims if configured.Lambda handles this retry logic
  • Lambda needs to be indempotent for this to work
  • Events can be sent to DLQ after repeated failures
  • Lambda can be configured with a destination where further processing of events can happen. SQS, SNS, Lambda & EventBridge are examples of destinations

Event Source Mapping

  • Typically used on streams or queues which dont support event generation to invoke lambdas e.g.Kinesis, DynamodDB Streams or SQS
  • A hidden component called Event Source Mapping is polling the stream for source batches.
  • Source batches are broken down into smaller chunks based on batch size & sent to lambdas as events
  • Event source mapping uses lambda execution role's permissions to access even source

Version

  • A version consists of code + configuration
  • A version is immutable