Skip to main content
Feedback

Amazon Lambda (Tech Preview) connection

The Amazon Lambda connection can be authenticated in two ways. You can create Amazon access keys using the AWS Management Console consisting of an Access Key ID and a Secret Access Key. These keys are accessible from your stored secure location. The Amazon Lambda connection also supports authentication via AWS IAM Roles Anywhere.

tip

AWS IAM Roles Anywhere relies on public key infrastructure (PKI) to establish trust between an AWS account and a certificate authority (CA), both belonging to the customer. The CA issues X.509 certificates which can be used by the Lambda Connector to obtain temporary credentials to invoke AWS Lambda runtime and control-plane APIs.

The temporary credentials are valid for a predefined bounded period configured by the user and cached to be reused across connectors using the same connection component and consecutive process executions. The connector automatically handles renewal after credentials expire.

Fields when authenticating with Access Keys

  • Authentication Type – Select the authentication type to connect to the service, either via your access keys or IAM Roles Anywhere.

    • When using Access Keys, provide both an Access Key ID and a Secret Access Key.
    • When using IAM Roles Anywhere, provide trusted X.509 certificates and service configuration data required to validate trust and obtain temporary security credentials.
    • Access Keys is the default authentication method.

  • AWS Access Key – Enter the access key for your AWS account. This key allows the connector to invoke lambda in your account. Manage keys securely using the AWS Management Console.

  • AWS Secret Key – Enter the secret access key for your AWS account. Together with the Access Key ID, it enables signed requests to Lambda services. Ensure this value is stored securely.

  • AWS Lambda Region – Select the AWS Region associated with your Lambda service. If the region is not listed, use the AWS Custom Region field. The default is us-east-1.

  • AWS Lambda Custom Region(Optional) Enter a custom AWS region in lowercase with dashes (for example, us-east-1). This value overrides the dropdown selection.

Fields when authenticating with AWS IAM Roles Anywhere

  • Authentication Type – Select between Access Keys or IAM Roles Anywhere.

  • Profile ARN – Enter the Amazon Resource Name (ARN) of the IAM Roles Anywhere profile.

  • Role ARN – Enter the Amazon Resource Name (ARN) of the IAM role to assume for Lambda access.

  • Trust Anchor ARN – Enter the ARN of the trust anchor used for validation.

  • AWS Roles Anywhere Region – Select the AWS Roles Anywhere Region associated with your IAM Roles Anywhere service. If the region is not listed, use the AWS Roles Anywhere Custom Region field. The default is us-east-1.

  • AWS Roles Anywhere Custom Region – Enter the AWS region in which IAM Roles Anywhere resides. Values must be lowercase with dashes (for example, us-east-1). If set, this value overrides the region dropdown.

  • Session name – Enter a session name for the role session. This field is mandatory.

  • Duration (in seconds) – Enter the session duration in seconds. Valid range: 900 (15 minutes) to 43200 (12 hours).

  • Public Certificate – Select the client certificate issued by your trusted CA to authenticate with IAM Roles Anywhere and receive temporary credentials.

  • Private Key – Select the private key associated with the client certificate.

  • AWS Lambda Region – Select the AWS Region associated with your Lambda service. If the region is not listed, use the AWS Custom Region field. The default is us-east-1.

  • AWS Lambda Custom Region(Optional) Enter a custom AWS region in lowercase with dashes (for example, us-east-1). This value overrides the dropdown selection.

Test Connection

You can test your connection settings before using or saving them in a process. Test Connection validates credentials, region, and access to Amazon Lambda.

  • If successful → you can save and use the connection.
  • If unsuccessful → review settings, correct errors, and retest.

The default region used for Test Connection is us-east-1.

For more information, refer to AWS Signature Version 4 Signing Process.

On this Page