Retrieving configuration data using the Amazon AppConfig Agent Lambda extension
An Amazon Lambda extension is a companion process that augments the capabilities of a Lambda function. An extension can start before a function is invoked, run in parallel with a function, and continue to run after a function invocation is processed. In essence, a Lambda extension is like a client that runs in parallel to a Lambda invocation. This parallel client can interface with your function at any point during its lifecycle.
If you use Amazon AppConfig feature flags or other dynamic configuration data in a Lambda function, then we recommend that you add the Amazon AppConfig Agent Lambda extension as a layer to your Lambda function. This makes calling feature flags simpler, and the extension itself includes best practices that simplify using Amazon AppConfig while reducing costs. Reduced costs result from fewer API calls to the Amazon AppConfig service and shorter Lambda function processing times. For more information about Lambda extensions, see Lambda extensions in the Amazon Lambda Developer Guide.
Note
Amazon AppConfig pricing
This topic includes information about the Amazon AppConfig Agent Lambda extension and the procedure for how to configure the extension to work with your Lambda function.
How it works
If you use Amazon AppConfig to manage configurations for a Lambda function without Lambda extensions, then you must configure your Lambda function to receive configuration updates by integrating with the StartConfigurationSession and GetLatestConfiguration API actions.
Integrating the Amazon AppConfig Agent Lambda extension with your Lambda function simplifies this process. The extension takes care of calling the Amazon AppConfig service, managing a local cache of retrieved data, tracking the configuration tokens needed for the next service calls, and periodically checking for configuration updates in the background. The following diagram shows how it works.
![A diagram of how the Amazon AppConfig Agent Lambda extension works](images/AppConfigLambdaExtension.png)
-
You configure the Amazon AppConfig Agent Lambda extension as a layer of your Lambda function.
-
To access its configuration data, your function calls the Amazon AppConfig extension at an HTTP endpoint running on
localhost:2772
. -
The extension maintains a local cache of the configuration data. If the data isn't in the cache, the extension calls Amazon AppConfig to get the configuration data.
-
Upon receiving the configuration from the service, the extension stores it in the local cache and passes it to the Lambda function.
-
Amazon AppConfig Agent Lambda extension periodically checks for updates to your configuration data in the background. Each time your Lambda function is invoked, the extension checks the elapsed time since it retrieved a configuration. If the elapsed time is greater than the configured poll interval, the extension calls Amazon AppConfig to check for newly deployed data, updates the local cache if there has been a change, and resets the elapsed time.
Note
-
Lambda instantiates separate instances corresponding to the concurrency level that your function requires. Each instance is isolated and maintains its own local cache of your configuration data. For more information about Lambda instances and concurrency, see Managing concurrency for a Lambda function.
-
The amount of time it takes for a configuration change to appear in a Lambda function, after you deploy an updated configuration from Amazon AppConfig, depends on the deployment strategy you used for the deployment and the polling interval you configured for the extension.
Before you begin
Before you enable the Amazon AppConfig Agent Lambda extension, do the following:
-
Organize the configurations in your Lambda function so that you can externalize them into Amazon AppConfig.
-
Create Amazon AppConfig artifacts and configuration data, including feature flags or freeform configuration data. For more information, see Creating feature flags and free form configuration data in Amazon AppConfig.
-
Add
appconfig:StartConfigurationSession
andappconfig:GetLatestConfiguration
to the Amazon Identity and Access Management (IAM) policy used by the Lambda function execution role. For more information, see Amazon Lambda execution role in the Amazon Lambda Developer Guide. For more information about Amazon AppConfig permissions, see Actions, resources, and condition keys for Amazon AppConfig in the Service Authorization Reference.
Adding the Amazon AppConfig Agent Lambda extension
To use the Amazon AppConfig Agent Lambda extension, you need to add the extension to your Lambda. This can be done by adding the Amazon AppConfig Agent Lambda extension to your Lambda function as a layer or by enabling the extension on a Lambda function as a container image.
Note
The Amazon AppConfig extension is runtime agnostic and supports all runtimes.
Adding the Amazon AppConfig Agent Lambda extension by using a layer and an ARN
To use the Amazon AppConfig Agent Lambda extension, you add the extension to your Lambda function as a layer. For information about how to add a layer to your function, see Configuring extensions in the Amazon Lambda Developer Guide. The name of the extension in the Amazon Lambda console is Amazon-AppConfig-Extension. Also note that when you add the extension as a layer to your Lambda, you must specify an Amazon Resource Name (ARN). Choose an ARN from one of the following lists that corresponds with the platform and Amazon Web Services Region where you created the Lambda.
If you want to test the extension before you add it to your function, you can verify that it works by using the following code example.
import urllib.request def lambda_handler(event, context): url = f'http://localhost:2772/applications/
application_name
/environments/environment_name
/configurations/configuration_name
' config = urllib.request.urlopen(url).read() return config
To test it, create a new Lambda function for Python, add the extension, and then run the Lambda function. After you run the Lambda function, the Amazon AppConfig Lambda function returns the configuration you specified for the http://localhost:2772 path. For information about creating a Lambda function, see Create a Lambda function with the console in the Amazon Lambda Developer Guide.
To add the Amazon AppConfig Agent Lambda extension as a container image, see Using a container image to add the Amazon AppConfig Agent Lambda extension.
Configuring the Amazon AppConfig Agent Lambda extension
You can configure the extension by changing the following Amazon Lambda environment variables. For more information, see Using Amazon Lambda environment variables in the Amazon Lambda Developer Guide.
Prefetching configuration data
The environment variable AWS_APPCONFIG_EXTENSION_PREFETCH_LIST
can
improve the start-up time of your function. When the Amazon AppConfig Agent Lambda extension is
initialized, it retrieves the specified configuration from Amazon AppConfig before Lambda starts to
initialize your function and invoke your handler. In some cases, the configuration data is
already available in the local cache before your function requests it.
To use the prefetch capability, set the value of the environment variable to the path
corresponding to your configuration data. For example, if your configuration corresponds
to an application, environment, and configuration profile respectively named
"my_application", "my_environment", and "my_configuration_data", the path would be
/applications/my_application/environments/my_environment/configurations/my_configuration_data
.
You can specify multiple configuration items by listing them as a comma-separated list (If
you have a resource name that includes a comma, use the resource’s ID value instead of its
name).
Accessing configuration data from another account
The Amazon AppConfig Agent Lambda extension can retrieve configuration data from another account by specifying an IAM role that grants permissions to the data. To set this up, follow these steps:
-
In the account where Amazon AppConfig is used to manage the configuration data, create a role with a trust policy that grants the account running the Lambda function access to the
appconfig:StartConfigurationSession
andappconfig:GetLatestConfiguration
actions, along with the partial or complete ARNs corresponding to the Amazon AppConfig configuration resources. -
In the account running the Lambda function, add the
AWS_APPCONFIG_EXTENSION_ROLE_ARN
environment variable to the Lambda function with the ARN of the role created in step 1. -
(Optional) If needed, an external ID can be specified using the
AWS_APPCONFIG_EXTENSION_ROLE_EXTERNAL_ID
environment variable. Similarly, a session name can be configured using theAWS_APPCONFIG_EXTENSION_ROLE_SESSION_NAME
environment variable.
Note
Note the following information.
-
The Amazon AppConfig Agent Lambda extension can only retrieve data from one account. If you specify an IAM role, the extension will not be able to retrieve configuration data from the account in which the Lambda function is running.
-
Amazon Lambda logs information about the Amazon AppConfig Agent Lambda extension and the Lambda function by using Amazon CloudWatch Logs.
Environment variable | Details | Default value |
---|---|---|
|
This environment variable specifies the port on which the local HTTP server that hosts the extension runs. |
2772 |
|
This environment variable specifies which Amazon AppConfig extension-specific logs are
sent to Amazon CloudWatch Logs for a function. Valid, case-insensitive values are:
|
|
|
This environment variable configures the maximum number of connections the extension uses to retrieve configurations from Amazon AppConfig. |
3 |
|
This environment variable controls how often the extension polls Amazon AppConfig for an updated configuration in seconds. |
45 |
|
This environment variable controls the maximum amount of time, in milliseconds, the extension waits for a response from Amazon AppConfig when refreshing data in the cache. If Amazon AppConfig does not respond in the specified amount of time, the extension skips this poll interval and returns the previously updated cached data. |
3000 |
|
This environment variable specifies the configuration data that the extension starts to retrieve before the function initializes and the handler runs. It can reduce the function's cold start time significantly. |
None |
AWS_APPCONFIG_EXTENSION_PROXY_HEADERS |
This environment variable specifies headers required by the proxy referenced
in the AWS_APPCONFIG_EXTENSION_PROXY_URL environment variable. The
value is a comma-separated list of headers. Each header uses the following form:
|
None |
AWS_APPCONFIG_EXTENSION_PROXY_URL |
This environment variable specifies the proxy URL to use for connections from
the Amazon AppConfig extension to Amazon Web Services. HTTPS and HTTP
URLs are supported. |
None |
AWS_APPCONFIG_EXTENSION_ROLE_ARN |
This environment variable specifies the IAM role ARN corresponding to a role that should be assumed by the Amazon AppConfig extension to retrieve configuration. | None |
AWS_APPCONFIG_EXTENSION_ROLE_EXTERNAL_ID |
This environment variable specifies the external id to use in conjunction with the assumed role ARN. | None |
AWS_APPCONFIG_EXTENSION_ROLE_SESSION_NAME |
This environment variable specifies the session name to be associated with the credentials for the assumed IAM role. | None |
AWS_APPCONFIG_EXTENSION_SERVICE_REGION |
This environment variable specifies an alternative Region the extension should use to call the Amazon AppConfig service. When undefined, the extension uses the endpoint in the current Region. | None |
|
This environment variable configures Amazon AppConfig Agent to take advantage of additional per-configuration features like multi-account retrievals and save configuration to disk. You can enter one of the following values:
For more information about these features, see Additional retrieval features. |
true |
|
This environment variable configures Amazon AppConfig Agent to wait until the manifest is processed before completing startup. |
true |
Retrieving one or more flags from a feature flag configuration
For feature flag configurations (configurations of type
AWS.AppConfig.FeatureFlags
), the Lambda extension enables you to retrieve a
single flag or a subset of flags in a configuration. Retrieving one or two flags is useful
if your Lambda only needs to use a few flags from the configuration profile. The following
examples use Python.
Note
The ability to call a single feature flag or a subset of flags in a configuration is only available in the Amazon AppConfig Agent Lambda extension version 2.0.45 and higher.
You can retrieve Amazon AppConfig configuration data from a local HTTP endpoint. To access a
specific flag or a list of flags, use the
?flag=
query parameter for an Amazon AppConfig
configuration profile.flag_name
To access a single flag and its attributes
import urllib.request def lambda_handler(event, context): url = f'http://localhost:2772/applications/
application_name
/environments/environment_name
/configurations/configuration_name
?flag=flag_name
' config = urllib.request.urlopen(url).read() return config
To access multiple flags and their attributes
import urllib.request def lambda_handler(event, context): url = f'http://localhost:2772/applications/
application_name
/environments/environment_name
/configurations/configuration_name
?flag=flag_name_one
&flag=flag_name_two
' config = urllib.request.urlopen(url).read() return config
Viewing Amazon AppConfig Agent Lambda extension logs
You can view log data for the Amazon AppConfig Agent Lambda extension in the Amazon Lambda logs.
Log entries are prefaced with appconfig agent
. Here's an example.
[appconfig agent] 2024/05/07 04:19:01 ERROR retrieve failure for 'SourceEventConfig:SourceEventConfigEnvironment:SourceEventConfigProfile': StartConfigurationSession: api error AccessDenied: User: arn:aws:sts::0123456789:assumed-role/us-east-1-LambdaRole/extension1 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/test1 (retry in 60s)