Child pages
  • AWS Lambda Plugin
Skip to end of metadata
Go to start of metadata

View AWS Lambda Plugin on the plugin site for more information.

This plugin adds AWS Lambda invocation and deployment abilities to build steps and post build actions

Currently the plugin can deploy and invoke functions as a build step and post build action. When invoking a function it is possible to inject the output as Jenkins environment variables.

Github link: https://github.com/XT-i/aws-lambda-jenkins-plugin
Jenkins wiki link: https://wiki.jenkins-ci.org/display/JENKINS/AWS+Lambda+Plugin

Installation

Look for the AWS Lambda plugin in the available plugins after clicking "manage jenkins" and "manage plugins".

IAM setup

For deployment you'll need access to the GetFunction, CreateFunction, UpdateFunctionCode and UpdateFunctionConfiguration Lambda commands.
You'll also need access to iam:PassRole to attach a role to the Lambda function.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1432812345671",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": [
                "arn:aws:lambda:REGION:ACCOUNTID:function:FUNCTIONNAME"
            ]
        },
        {
            "Sid": "Stmt14328112345672",
            "Effect": "Allow",
            "Action": [
                "iam:Passrole"
            ],
            "Resource": [
                "arn:aws:iam::ACCOUNTID:role/FUNCTIONROLE"
            ]
        }
    ]
}

For invocation you only need access to InvokeFunction.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt14328112345678",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:REGION:ACCOUNTID:function:FUNCTIONNAME"
            ]
        }
    ]
}

AWS Lambda function deployment

After creating a job you can add a build step or post build action to deploy an AWS Lambda function.

Due to the fact that AWS Lambda is still a rapid changing service we decided not to have select boxes for input.
The AWS Access Key Id, AWS Secret Key, region and function name are always required. All other fields depend on the update mode.

If the update mode is Code you also need to add the location of a zipfile or folder.
Folders are automatically zipped according to the AWS Lambda documentation
You can also choose to deploy a function already on S3, if the bucket is in the same region as the Lambda function.

s3://bucket/key or s3://bucket/key?versionId=ABCDEF123

For the Configuration update mode you need the role and handler. If you want to diverge from the defaults add the memory and timeout values.

When choosing the Both update mode, both UpdateFunctionCode and UpdateFunctionConfiguration are performed.

If the function has not been created before the plugin will try to do a CreateFunction call, which needs all fields previously mentioned in addition to the runtime value.
The update mode value is ignored if the function does not exists yet, but it will take effect in future builds.

AWS Lambda function invocation

To invoke a function once again open up the add build step or post build action menu.

You need to add the AWS Access Key Id, AWS Secret key, region and function name. Optionally you can add a payload that your function expects.

If you enable the Synchronous checkbox you will receive the response payload that can be parsed using the Json Parameters.
You will also get the logs from Lambda into your Jenkins console output.

The json parameters allow you to parse the output from the lambda function. The parsed value will then be injected into the Jenkins environment using the chosen name.
An empty jsonPath field allows you to inject the whole response into the specified environment variable.

Examples:

{
    "key1":"value1",
    "array1": [
        {
            "arraykey":"arrayvalue"
        },
        {
            "arraykey":"arrayvalue2"
        }
    ]
}

$.key1 => value1
$.array1[1].arraykey => arrayvalue2

More info about JsonPath:
github link: https://github.com/jayway/JsonPath
try out expressions: http://jsonpath.herokuapp.com/?path=$.store.book

These environment variables can be used as parameters in further build steps and actions which allow a Lambda function to have a deciding factor in the deployment process.

Job build result

On the job build result page you'll get a summary of all deployed and invoked functions and their success state.

5 Comments

  1. I think there is an issue with "Use instance credentials". I get the error: "Cross-account pass role is not allowed" when doing a lambda deployment:Starting lambda deployment procedure

     
    
    Zipping folder ..., copying zip file
    File Name: awslambda-225499368329633560.zip
    Absolute Path: /tmp/awslambda-225499368329633560.zip
    File Size: 55176
    Lambda function existence check:
    
    {FunctionName: my_func,}
    
    Lambda function does not exist
    Lambda create function request:
    {FunctionName: my_func,Runtime: python2.7,Role: arn:aws:iam::123123123123:role/lambda_hipchat_pr_digest,Handler: lambda_handler,Code: {ZipFile: java.nio.HeapByteBuffer[pos=0 lim=55176 cap=55176],},Description: Hmy description,Timeout: 60,MemorySize: 256,Publish: true}
    

    com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: 645e6ad8-ba1f-11e5-b817-1f92f1beb5f9)

    But the jenkins slave that this job is running on has the creds to do this. For instance, when I ssh on to the slave and run the aws cli from the command line, it works:aws lambda create-function --function-name my_func --runtime python2.7 --role arn:aws:iam::123123123123:role/lambda_hipchat_pr_digest --handler lambda_handler --zip-file fileb://foo.zip --description 'my description' --memory-size 256 --region us-west-2 --publish

    My guess is that the this plugin does not honor the IAM creds of the box that it's running on? (There are no hard coded access keys anywhere... everything is using IAM creds)

    1. Thank you again Alex for the report.

      For anyone reading the comments it was fixed in version 0.4.0 by the addition of support for distributed builds.

  2. Is there a limit to the total number of lambdas you can deploy in a single jenkins job?  Im trying to add a 17th, and its no longer giving me the option to choose update mode.  the Dropdown is blank.

     

    Thanks!

  3. I'm struggling to get the JSON parameters feature to work. I'm successfully invoking the Lambda function, but it is failing to set the environment variable from the returned JSON payload.

    Here is the log of the Lambda invocation: 

    In my pipeline script I intercept 'applicationVersion' using JSONpath:

    When I echo out the 'env' to the log, I see many environment variables but not 'MY_VAR'.

    I'm pretty sure the jsonPath is correct, because if I change it to be a string ('NoNSenSe') that does not appear in the returned payload, I get a parsing error:

     

    Any help appreciated!

    Many thanks,

    David

     

  4. How can we add tags for lambda function using this plugin?

Write a comment…