# Invoking a Lambda function using an Amazon API Gateway endpoint API Gateway You can create a web API with an HTTP endpoint for your Lambda function by using Amazon API Gateway. API Gateway provides tools for creating and documenting web APIs that route HTTP requests to Lambda functions. You can secure access to your API with authentication and authorization controls. Your APIs can serve traffic over the internet or can be accessible only within your VPC. **Tip** Lambda offers two ways to invoke your function through an HTTP endpoint: API Gateway and Lambda function URLs. If you're not sure which is the best method for your use case, see [Select a method to invoke your Lambda function using an HTTP request](apig-http-invoke-decision.md). Resources in your API define one or more methods, such as GET or POST. Methods have an integration that routes requests to a Lambda function or another integration type. You can define each resource and method individually, or use special resource and method types to match all requests that fit a pattern. A [proxy resource](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html) catches all paths beneath a resource. The `ANY` method catches all HTTP methods. **Topics** + [ ## Choosing an API type ](#services-apigateway-apitypes) + [ ## Adding an endpoint to your Lambda function ](#apigateway-add) + [ ## Proxy integration ](#apigateway-proxy) + [ ## Event format ](#apigateway-example-event) + [ ## Response format ](#apigateway-types-transforms) + [ ## Permissions ](#apigateway-permissions) + [ ## Sample application ](#services-apigateway-samples) + [ ## The event handler from Powertools for AWS Lambda ](#services-apigateway-powertools) + [ # Tutorial: Using Lambda with API Gateway ](services-apigateway-tutorial.md) + [ # Handling Lambda errors with an API Gateway API ](services-apigateway-errors.md) + [ # Select a method to invoke your Lambda function using an HTTP request ](apig-http-invoke-decision.md) ## Choosing an API type API Gateway supports three types of APIs that invoke Lambda functions: + [HTTP API](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api.html): A lightweight, low-latency RESTful API. + [REST API](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-rest-api.html): A customizable, feature-rich RESTful API. + [WebSocket API](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api.html): A web API that maintains persistent connections with clients for full-duplex communication. HTTP APIs and REST APIs are both RESTful APIs that process HTTP requests and return responses. HTTP APIs are newer and are built with the API Gateway version 2 API. The following features are new for HTTP APIs: **HTTP API features** + **Automatic deployments** – When you modify routes or integrations, changes deploy automatically to stages that have automatic deployment enabled. + **Default stage** – You can create a default stage (`$default`) to serve requests at the root path of your API's URL. For named stages, you must include the stage name at the beginning of the path. + **CORS configuration** – You can configure your API to add CORS headers to outgoing responses, instead of adding them manually in your function code. REST APIs are the classic RESTful APIs that API Gateway has supported since launch. REST APIs currently have more customization, integration, and management features. **REST API features** + **Integration types** – REST APIs support custom Lambda integrations. With a custom integration, you can send just the body of the request to the function, or apply a transform template to the request body before sending it to the function. + **Access control** – REST APIs support more options for authentication and authorization. + **Monitoring and tracing** – REST APIs support AWS X-Ray tracing and additional logging options. For a detailed comparison, see [Choose between HTTP APIs and REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html) in the *API Gateway Developer Guide*. WebSocket APIs also use the API Gateway version 2 API and support a similar feature set. Use a WebSocket API for applications that benefit from a persistent connection between the client and API. WebSocket APIs provide full-duplex communication, which means that both the client and the API can send messages continuously without waiting for a response. HTTP APIs support a simplified event format (version 2.0). For an example of an event from an HTTP API, see [Create AWS Lambda proxy integrations for HTTP APIs in API Gateway](https://docs.aws.amazon.com//apigateway/latest/developerguide/http-api-develop-integrations-lambda.html). For more information, see [Create AWS Lambda proxy integrations for HTTP APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html). ## Adding an endpoint to your Lambda function **To add a public endpoint to your Lambda function** 1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console. 1. Choose a function. 1. Under **Function overview**, choose **Add trigger**. 1. Select **API Gateway**. 1. Choose **Create an API** or **Use an existing API**. 1. **New API:** For **API type**, choose **HTTP API**. For more information, see [Choosing an API type](#services-apigateway-apitypes). 1. **Existing API:** Select the API from the dropdown list or enter the API ID (for example, r3pmxmplak). 1. For **Security**, choose **Open**. 1. Choose **Add**. ## Proxy integration API Gateway APIs are comprised of stages, resources, methods, and integrations. The stage and resource determine the path of the endpoint: **API path format** + `/prod/` – The `prod` stage and root resource. + `/prod/user` – The `prod` stage and `user` resource. + `/dev/{proxy+}` – Any route in the `dev` stage. + `/` – (HTTP APIs) The default stage and root resource. A Lambda integration maps a path and HTTP method combination to a Lambda function. You can configure API Gateway to pass the body of the HTTP request as-is (custom integration), or to encapsulate the request body in a document that includes all of the request information including headers, resource, path, and method. For more information, see [Lambda proxy integrations in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html). ## Event format Amazon API Gateway invokes your function [synchronously](invocation-sync.md) with an event that contains a JSON representation of the HTTP request. For a custom integration, the event is the body of the request. For a proxy integration, the event has a defined structure. For an example of a proxy event from an API Gateway REST API, see [Input format of a Lambda function for proxy integration](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#api-gateway-simple-proxy-for-lambda-input-format) in the *API Gateway Developer Guide*. ## Response format API Gateway waits for a response from your function and relays the result to the caller. For a custom integration, you define an integration response and a method response to convert the output from the function to an HTTP response. For a proxy integration, the function must respond with a representation of the response in a specific format. The following example shows a response object from a Node.js function. The response object represents a successful HTTP response that contains a JSON document. **Example index.mjs – Proxy integration response object (Node.js)** ``` var response = { "statusCode": 200, "headers": { "Content-Type": "application/json" }, "isBase64Encoded": false, "multiValueHeaders": { "X-Custom-Header": ["My value", "My other value"], }, "body": "{\n \"TotalCodeSize\": 104330022,\n \"FunctionCount\": 26\n}" } ``` The Lambda runtime serializes the response object into JSON and sends it to the API. The API parses the response and uses it to create an HTTP response, which it then sends to the client that made the original request. **Example HTTP response** ``` < HTTP/1.1 200 OK < Content-Type: application/json < Content-Length: 55 < Connection: keep-alive < x-amzn-RequestId: 32998fea-xmpl-4268-8c72-16138d629356 < X-Custom-Header: My value < X-Custom-Header: My other value < X-Amzn-Trace-Id: Root=1-5e6aa925-ccecxmplbae116148e52f036 < { "TotalCodeSize": 104330022, "FunctionCount": 26 } ``` ## Permissions Amazon API Gateway gets permission to invoke your function from the function's [resource-based policy](access-control-resource-based.md). You can grant invoke permission to an entire API, or grant limited access to a stage, resource, or method. When you add an API to your function by using the Lambda console, using the API Gateway console, or in an AWS SAM template, the function's resource-based policy is updated automatically. The following is an example function policy. **Example function policy** **** ``` { "Version":"2012-10-17", "Id": "default", "Statement": [ { "Sid": "nodejs-apig-functiongetEndpointPermissionProd-BWDBXMPLXE2F", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-2:111122223333:function:nodejs-apig-function-1G3MXMPLXVXYI", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:execute-api:us-east-2:111122223333:ktyvxmpls1/*/GET/" } } } ] } ``` You can manage function policy permissions manually with the following API operations: + [AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html) + [RemovePermission](https://docs.aws.amazon.com/lambda/latest/api/API_RemovePermission.html) + [GetPolicy](https://docs.aws.amazon.com/lambda/latest/api/API_GetPolicy.html) To grant invocation permission to an existing API, use the `add-permission` command. Example: ``` aws lambda add-permission \ --function-name my-function \ --statement-id apigateway-get --action lambda:InvokeFunction \ --principal apigateway.amazonaws.com \ --source-arn "arn:aws:execute-api:us-east-2:123456789012:mnh1xmpli7/default/GET/" ``` You should see the following output: ``` { "Statement": "{\"Sid\":\"apigateway-test-2\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-2:123456789012:function:my-function\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:us-east-2:123456789012:mnh1xmpli7/default/GET\"}}}" } ``` **Note** If your function and API are in different AWS Regions, the Region identifier in the source ARN must match the Region of the function, not the Region of the API. When API Gateway invokes a function, it uses a resource ARN that is based on the ARN of the API, but modified to match the function's Region. The source ARN in this example grants permission to an integration on the GET method of the root resource in the default stage of an API, with ID `mnh1xmpli7`. You can use an asterisk in the source ARN to grant permissions to multiple stages, methods, or resources. **Resource patterns** + `mnh1xmpli7/*/GET/*` – GET method on all resources in all stages. + `mnh1xmpli7/prod/ANY/user` – ANY method on the `user` resource in the `prod` stage. + `mnh1xmpli7/*/*/*` – Any method on all resources in all stages. For details on viewing the policy and removing statements, see [Viewing resource-based IAM policies in Lambda](access-control-resource-based.md). ## Sample application The [API Gateway with Node.js](https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/nodejs-apig) sample app includes a function with an AWS SAM template that creates a REST API that has AWS X-Ray tracing enabled. It also includes scripts for deploying, invoking the function, testing the API, and cleanup. ## The event handler from Powertools for AWS Lambda The event handler from the Powertools for AWS Lambda toolkit provides routing, middleware, CORS configuration, OpenAPI spec generation, request validation, error handling, and other useful features when writing Lambda functions invoked by an API Gateway endpoint (HTTP or REST). The event handler utility is available for Python and TypeScript/JavaScript. For more information, see [Event Handler REST API](https://docs.powertools.aws.dev/lambda/python/latest/core/event_handler/api_gateway/) in the *Powertools for AWS Lambda (Python) documentation* and [Event Handler HTTP API](https://docs.aws.amazon.com/powertools/typescript/latest/features/event-handler/http/) in the *Powertools for AWS Lambda (TypeScript) documentation*. ### Python ``` from aws_lambda_powertools import Logger from aws_lambda_powertools.event_handler import APIGatewayRestResolver from aws_lambda_powertools.logging import correlation_paths from aws_lambda_powertools.utilities.typing.lambda_context import LambdaContext app = APIGatewayRestResolver() logger = Logger() @app.get("/healthz") def ping(): return {"message": "health status ok"} @logger.inject_lambda_context(correlation_id_path=correlation_paths.API_GATEWAY_REST) def lambda_handler(event: dict, context: LambdaContext) -> dict: return app.resolve(event, context) ``` ### Typescript ``` import { Router } from '@aws-lambda-powertools/event-handler/experimental-rest'; import { Logger } from '@aws-lambda-powertools/logger'; import { correlationPaths, search, } from '@aws-lambda-powertools/logger/correlationId'; import type { Context } from 'aws-lambda/handler'; const logger = new Logger({ correlationIdSearchFn: search, }); const app = new Router({ logger }); app.get("/healthz", async () => { return { message: "health status ok" }; }); export const handler = async (event: unknown, context: Context) => { // You can continue using other utilities just as before logger.addContext(context); logger.setCorrelationId(event, correlationPaths.API_GATEWAY_REST); return app.resolve(event, context); }; ``` # Tutorial: Using Lambda with API Gateway Tutorial In this tutorial, you create a REST API through which you invoke a Lambda function using an HTTP request. Your Lambda function will perform create, read, update, and delete (CRUD) operations on a DynamoDB table. This function is provided here for demonstration, but you will learn to configure an API Gateway REST API that can invoke any Lambda function. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/APIG_tut_resources.png) Using API Gateway provides users with a secure HTTP endpoint to invoke your Lambda function and can help manage large volumes of calls to your function by throttling traffic and automatically validating and authorizing API calls. API Gateway also provides flexible security controls using AWS Identity and Access Management (IAM) and Amazon Cognito. This is useful for use cases where advance authorization is required for calls to your application. **Tip** Lambda offers two ways to invoke your function through an HTTP endpoint: API Gateway and Lambda function URLs. If you're not sure which is the best method for your use case, see [Select a method to invoke your Lambda function using an HTTP request](apig-http-invoke-decision.md). To complete this tutorial, you will go through the following stages: 1. Create and configure a Lambda function in Python or Node.js to perform operations on a DynamoDB table. 1. Create a REST API in API Gateway to connect to your Lambda function. 1. Create a DynamoDB table and test it with your Lambda function in the console. 1. Deploy your API and test the full setup using curl in a terminal. By completing these stages, you will learn how to use API Gateway to create an HTTP endpoint that can securely invoke a Lambda function at any scale. You will also learn how to deploy your API, and how to test it in the console and by sending an HTTP request using a terminal. ## Create a permissions policy Before you can create an [execution role](lambda-intro-execution-role.md) for your Lambda function, you first need to create a permissions policy to give your function permission to access the required AWS resources. For this tutorial, the policy allows Lambda to perform CRUD operations on a DynamoDB table and write to Amazon CloudWatch Logs. **To create the policy** 1. Open the [Policies page](https://console.aws.amazon.com/iam/home#/policies) of the IAM console. 1. Choose **Create Policy**. 1. Choose the **JSON** tab, and then paste the following custom policy into the JSON editor. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Stmt1428341300017", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "", "Resource": "*", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow" } ] } ``` ------ 1. Choose **Next: Tags**. 1. Choose **Next: Review**. 1. Under **Review policy**, for the policy **Name**, enter **lambda-apigateway-policy**. 1. Choose **Create policy**. ## Create an execution role An [execution role](lambda-intro-execution-role.md) is an AWS Identity and Access Management (IAM) role that grants a Lambda function permission to access AWS services and resources. To enable your function to perform operations on a DynamoDB table, you attach the permissions policy you created in the previous step. **To create an execution role and attach your custom permissions policy** 1. Open the [Roles page](https://console.aws.amazon.com/iam/home#/roles) of the IAM console. 1. Choose **Create role**. 1. For the type of trusted entity, choose **AWS service**, then for the use case, choose **Lambda**. 1. Choose **Next**. 1. In the policy search box, enter **lambda-apigateway-policy**. 1. In the search results, select the policy that you created (`lambda-apigateway-policy`), and then choose **Next**. 1. Under **Role details**, for the **Role name**, enter **lambda-apigateway-role**, then choose **Create role**. ## Create the Lambda function 1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console and choose **Create Function**. 1. Choose **Author from scratch**. 1. For **Function name**, enter `LambdaFunctionOverHttps`. 1. For **Runtime**, choose the latest Node.js or Python runtime. 1. Under **Permissions**, expand **Change default execution role**. 1. Choose **Use an existing role**, and then select the **lambda-apigateway-role** role that you created earlier. 1. Choose **Create function**. 1. In the **Code source** pane, replace the default code with the following Node.js or Python code. ------ #### [ Node.js ] The `region` setting must match the AWS Region where you deploy the function and [create the DynamoDB table](#services-apigateway-tutorial-table). **Example index.mjs** ``` import { DynamoDBDocumentClient, PutCommand, GetCommand, UpdateCommand, DeleteCommand} from "@aws-sdk/lib-dynamodb"; import { DynamoDBClient } from "@aws-sdk/client-dynamodb"; const ddbClient = new DynamoDBClient({ region: "us-east-2" }); const ddbDocClient = DynamoDBDocumentClient.from(ddbClient); // Define the name of the DDB table to perform the CRUD operations on const tablename = "lambda-apigateway"; /** * Provide an event that contains the following keys: * * - operation: one of 'create,' 'read,' 'update,' 'delete,' or 'echo' * - payload: a JSON object containing the parameters for the table item * to perform the operation on */ export const handler = async (event, context) => { const operation = event.operation; if (operation == 'echo'){ return(event.payload); } else { event.payload.TableName = tablename; let response; switch (operation) { case 'create': response = await ddbDocClient.send(new PutCommand(event.payload)); break; case 'read': response = await ddbDocClient.send(new GetCommand(event.payload)); break; case 'update': response = ddbDocClient.send(new UpdateCommand(event.payload)); break; case 'delete': response = ddbDocClient.send(new DeleteCommand(event.payload)); break; default: response = 'Unknown operation: ${operation}'; } console.log(response); return response; } }; ``` ------ #### [ Python ] **Example lambda\$1function.py** ``` import boto3 # Define the DynamoDB table that Lambda will connect to table_name = "lambda-apigateway" # Create the DynamoDB resource dynamo = boto3.resource('dynamodb').Table(table_name) # Define some functions to perform the CRUD operations def create(payload): return dynamo.put_item(Item=payload['Item']) def read(payload): return dynamo.get_item(Key=payload['Key']) def update(payload): return dynamo.update_item(**{k: payload[k] for k in ['Key', 'UpdateExpression', 'ExpressionAttributeNames', 'ExpressionAttributeValues'] if k in payload}) def delete(payload): return dynamo.delete_item(Key=payload['Key']) def echo(payload): return payload operations = { 'create': create, 'read': read, 'update': update, 'delete': delete, 'echo': echo, } def lambda_handler(event, context): '''Provide an event that contains the following keys: - operation: one of the operations in the operations dict below - payload: a JSON object containing parameters to pass to the operation being performed ''' operation = event['operation'] payload = event['payload'] if operation in operations: return operations[operation](payload) else: raise ValueError(f'Unrecognized operation "{operation}"') ``` ------ **Note** In this example, the name of the DynamoDB table is defined as a variable in your function code. In a real application, best practice is to pass this parameter as an environment variable and to avoid hardcoding the table name. For more information see [Using AWS Lambda environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html). 1. In the **DEPLOY** section, choose **Deploy** to update your function's code: ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/getting-started-tutorial/deploy-console.png) ## Test the function Before integrating your function with API Gateway, confirm that you have deployed the function successfully. Use the Lambda console to send a test event to your function. 1. On the Lambda console page for your function, choose the **Test** tab. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/test-tab.png) 1. Scroll down to the **Event JSON** section and replace the default event with the following. This event matches the structure expected by the Lambda function. ``` { "operation": "echo", "payload": { "somekey1": "somevalue1", "somekey2": "somevalue2" } } ``` 1. Choose **Test**. 1. Under **Executing function: succeeded**, expand **Details**. You should see the following response: ``` { "somekey1": "somevalue1", "somekey2": "somevalue2" } ``` ## Create a REST API using API Gateway In this step, you create the API Gateway REST API you will use to invoke your Lambda function. **To create the API** 1. Open the [API Gateway console](https://console.aws.amazon.com/apigateway). 1. Choose **Create API**. 1. In the **REST API** box, choose **Build**. 1. Under **API details**, leave **New API** selected, and for **API Name**, enter **DynamoDBOperations**. 1. Choose **Create API**. ## Create a resource on your REST API To add an HTTP method to your API, you first need to create a resource for that method to operate on. Here you create the resource to manage your DynamoDB table. **To create the resource** 1. In the [API Gateway console](https://console.aws.amazon.com/apigateway), on the **Resources** page for your API, choose **Create resource**. 1. In **Resource details**, for **Resource name** enter **DynamoDBManager**. 1. Choose **Create Resource**. ## Create an HTTP POST method In this step, you create a method (`POST`) for your `DynamoDBManager` resource. You link this `POST` method to your Lambda function so that when the method receives an HTTP request, API Gateway invokes your Lambda function. **Note** For the purpose of this tutorial, one HTTP method (`POST`) is used to invoke a single Lambda function which carries out all of the operations on your DynamoDB table. In a real application, best practice is to use a different Lambda function and HTTP method for each operation. For more information, see [The Lambda monolith](https://serverlessland.com/content/service/lambda/guides/aws-lambda-operator-guide/monolith) in Serverless Land. **To create the POST method** 1. On the **Resources** page for your API, ensure that the `/DynamoDBManager` resource is highlighted. Then, in the **Methods** pane, choose **Create method**. 1. For **Method type**, choose **POST**. 1. For **Integration type**, leave **Lambda function** selected. 1. For **Lambda function**, choose the Amazon Resource Name (ARN) for your function (`LambdaFunctionOverHttps`). 1. Choose **Create method**. ## Create a DynamoDB table Create an empty DynamoDB table that your Lambda function will perform CRUD operations on. **To create the DynamoDB table** 1. Open the [Tables page](https://console.aws.amazon.com/dynamodbv2#tables) of the DynamoDB console. 1. Choose **Create table**. 1. Under **Table details**, do the following: 1. For **Table name**, enter **lambda-apigateway**. 1. For **Partition key**, enter **id**, and keep the data type set as **String**. 1. Under **Table settings**, keep the **Default settings**. 1. Choose **Create table**. ## Test the integration of API Gateway, Lambda, and DynamoDB You're now ready to test the integration of your API Gateway API method with your Lambda function and your DynamoDB table. Using the API Gateway console, you send requests directly to your `POST` method using the console's test function. In this step, you first use a `create` operation to add a new item to your DynamoDB table, then you use an `update` operation to modify the item. **Test 1: To create a new item in your DynamoDB table** 1. In the [API Gateway console](https://console.aws.amazon.com/apigateway), choose your API (`DynamoDBOperations`). 1. Choose the **POST** method under the `DynamoDBManager` resource. 1. Choose the **Test** tab. You might need to choose the right arrow button to show the tab. 1. Under **Test method**, leave **Query strings** and **Headers** empty. For **Request body**, paste the following JSON: ``` { "operation": "create", "payload": { "Item": { "id": "1234ABCD", "number": 5 } } } ``` 1. Choose **Test**. The results that are displayed when the test completes should show status `200`. This status code indicates that the `create` operation was successful. To confirm, check that your DynamoDB table now contains the new item. 1. Open the [Tables page](https://console.aws.amazon.com/dynamodbv2#tables) of the DynamoDB console and choose the `lambda-apigateway` table. 1. Chose **Explore table items**. In the **Items returned** pane, you should see one item with the **id** `1234ABCD` and the **number** `5`. Example: ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/items-returned.png) **Test 2: To update the item in your DynamoDB table** 1. In the [API Gateway console](https://console.aws.amazon.com/apigateway), return to your POST method's **Test** tab. 1. Under **Test method**, leave **Query strings** and **Headers** empty. For **Request body**, paste the following JSON: ``` { "operation": "update", "payload": { "Key": { "id": "1234ABCD" }, "UpdateExpression": "SET #num = :newNum", "ExpressionAttributeNames": { "#num": "number" }, "ExpressionAttributeValues": { ":newNum": 10 } } } ``` 1. Choose **Test**. The results which are displayed when the test completes should show status `200`. This status code indicates that the `update` operation was successful. To confirm, check that the item in your DynamoDB table has been modified. 1. Open the [Tables page](https://console.aws.amazon.com/dynamodbv2#tables) of the DynamoDB console and choose the `lambda-apigateway` table. 1. Chose **Explore table items**. In the **Items returned** pane, you should see one item with the **id** `1234ABCD` and the **number** `10`. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/items-returned-2.png) ## Deploy the API For a client to call the API, you must create a deployment and an associated stage. A stage represents a snapshot of your API including its methods and integrations. **To deploy the API** 1. Open the **APIs** page of the [API Gateway console](https://console.aws.amazon.com/apigateway) and choose the `DynamoDBOperations` API. 1. On the **Resources** page for your API choose **Deploy API**. 1. For **Stage**, choose **\$1New stage\$1**, then for **Stage name**, enter **test**. 1. Choose **Deploy**. 1. In the **Stage details** pane, copy the **Invoke URL**. You will use this in the next step to invoke your function using an HTTP request. ## Use curl to invoke your function using HTTP requests You can now invoke your Lambda function by issuing an HTTP request to your API. In this step, you will create a new item in your DynamoDB table and then perform read, update, and delete operations on that item. **To create an item in your DynamoDB table using curl** 1. Open a terminal or command prompt on your local machine and run the following `curl` command using the invoke URL you copied in the previous step. This command uses the following options: + `-H`: Adds a custom header to the request. Here, it specifies the content type as JSON. + `-d`: Sends data in the request body. This option uses an HTTP POST method by default. ------ #### [ Linux/macOS ] ``` curl https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager \ -H "Content-Type: application/json" \ -d '{"operation": "create", "payload": {"Item": {"id": "5678EFGH", "number": 15}}}' ``` ------ #### [ PowerShell ] ``` curl.exe 'https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager' -H 'Content-Type: application/json' -d '{\"operation\": \"create\", \"payload\": {\"Item\": {\"id\": \"5678EFGH\", \"number\": 15}}}' ``` ------ If the operation was successful, you should see a response returned with an HTTP status code of 200. 1. You can also use the DynamoDB console to verify that the new item is in your table by doing the following: 1. Open the [Tables page](https://console.aws.amazon.com/dynamodbv2#tables) of the DynamoDB console and choose the `lambda-apigateway` table. 1. Choose **Explore table items**. In the **Items returned** pane, you should see an item with the **id** `5678EFGH` and the **number** `15`. **To read the item in your DynamoDB table using curl** + In your terminal or command prompt, run the following `curl` command to read the value of the item you just created. Use your own invoke URL. ------ #### [ Linux/macOS ] ``` curl https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager \ -H "Content-Type: application/json" \ -d '{"operation": "read", "payload": {"Key": {"id": "5678EFGH"}}}' ``` ------ #### [ PowerShell ] ``` curl.exe 'https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager' -H 'Content-Type: application/json' -d '{\"operation\": \"read\", \"payload\": {\"Key\": {\"id\": \"5678EFGH\"}}}' ``` ------ You should see output like one of the following depending on whether you chose the Node.js or Python function code: ------ #### [ Node.js ] ``` {"$metadata":{"httpStatusCode":200,"requestId":"7BP3G5Q0C0O1E50FBQI9NS099JVV4KQNSO5AEMVJF66Q9ASUAAJG", "attempts":1,"totalRetryDelay":0},"Item":{"id":"5678EFGH","number":15}} ``` ------ #### [ Python ] ``` {"Item":{"id":"5678EFGH","number":15},"ResponseMetadata":{"RequestId":"QNDJICE52E86B82VETR6RKBE5BVV4KQNSO5AEMVJF66Q9ASUAAJG", "HTTPStatusCode":200,"HTTPHeaders":{"server":"Server","date":"Wed, 31 Jul 2024 00:37:01 GMT","content-type":"application/x-amz-json-1.0", "content-length":"52","connection":"keep-alive","x-amzn-requestid":"QNDJICE52E86B82VETR6RKBE5BVV4KQNSO5AEMVJF66Q9ASUAAJG","x-amz-crc32":"2589610852"}, "RetryAttempts":0}} ``` ------ **To update the item in your DynamoDB table using curl** 1. In your terminal or command prompt, run the following `curl` command to update the item you just created by changing the `number` value. Use your own invoke URL. ------ #### [ Linux/macOS ] ``` curl https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager \ -H "Content-Type: application/json" \ -d '{"operation": "update", "payload": {"Key": {"id": "5678EFGH"}, "UpdateExpression": "SET #num = :new_value", "ExpressionAttributeNames": {"#num": "number"}, "ExpressionAttributeValues": {":new_value": 42}}}' ``` ------ #### [ PowerShell ] ``` curl.exe 'https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager' -H 'Content-Type: application/json' -d '{\"operation\": \"update\", \"payload\": {\"Key\": {\"id\": \"5678EFGH\"}, \"UpdateExpression\": \"SET #num = :new_value\", \"ExpressionAttributeNames\": {\"#num\": \"number\"}, \"ExpressionAttributeValues\": {\":new_value\": 42}}}' ``` ------ 1. To confirm that the value of `number` for the item has been updated, run another read command: ------ #### [ Linux/macOS ] ``` curl https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager \ -H "Content-Type: application/json" \ -d '{"operation": "read", "payload": {"Key": {"id": "5678EFGH"}}}' ``` ------ #### [ PowerShell ] ``` curl.exe 'https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager' -H 'Content-Type: application/json' -d '{\"operation\": \"read\", \"payload\": {\"Key\": {\"id\": \"5678EFGH\"}}}' ``` ------ **To delete the item in your DynamoDB table using curl** 1. In your terminal or command prompt, run the following `curl` command to delete the item you just created. Use your own invoke URL. ------ #### [ Linux/macOS ] ``` curl https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager \ -H "Content-Type: application/json" \ -d '{"operation": "delete", "payload": {"Key": {"id": "5678EFGH"}}}' ``` ------ #### [ PowerShell ] ``` curl.exe 'https://l8togsqxd8.execute-api.us-east-2.amazonaws.com/test/DynamoDBManager' -H 'Content-Type: application/json' -d '{\"operation\": \"delete\", \"payload\": {\"Key\": {\"id\": \"5678EFGH\"}}}' ``` ------ 1. Confirm that the delete operation was successful. In the **Items returned** pane of the DynamoDB console **Explore items** page, verify that the item with **id** `5678EFGH` is no longer in the table. ## Clean up your resources (optional) You can now delete the resources that you created for this tutorial, unless you want to retain them. By deleting AWS resources that you're no longer using, you prevent unnecessary charges to your AWS account. **To delete the Lambda function** 1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console. 1. Select the function that you created. 1. Choose **Actions**, **Delete**. 1. Type **confirm** in the text input field and choose **Delete**. **To delete the execution role** 1. Open the [Roles page](https://console.aws.amazon.com/iam/home#/roles) of the IAM console. 1. Select the execution role that you created. 1. Choose **Delete**. 1. Enter the name of the role in the text input field and choose **Delete**. **To delete the API** 1. Open the [APIs page](https://console.aws.amazon.com/apigateway/main/apis) of the API Gateway console. 1. Select the API you created. 1. Choose **Actions**, **Delete**. 1. Choose **Delete**. **To delete the DynamoDB table** 1. Open the [Tables page](https://console.aws.amazon.com//dynamodb/home#tables:) of the DynamoDB console. 1. Select the table you created. 1. Choose **Delete**. 1. Enter **delete** in the text box. 1. Choose **Delete table**. # Handling Lambda errors with an API Gateway API Errors API Gateway treats all invocation and function errors as internal errors. If the Lambda API rejects the invocation request, API Gateway returns a 500 error code. If the function runs but returns an error, or returns a response in the wrong format, API Gateway returns a 502. In both cases, the body of the response from API Gateway is `{"message": "Internal server error"}`. **Note** API Gateway does not retry any Lambda invocations. If Lambda returns an error, API Gateway returns an error response to the client. The following example shows an X-Ray trace map for a request that resulted in a function error and a 502 from API Gateway. The client receives the generic error message. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/tracemap-apig-502.png) To customize the error response, you must catch errors in your code and format a response in the required format. **Example [index.mjs](https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/nodejs-apig/function/index.mjs) – Error formatting** ``` var formatError = function(error){ var response = { "statusCode": error.statusCode, "headers": { "Content-Type": "text/plain", "x-amzn-ErrorType": error.code }, "isBase64Encoded": false, "body": error.code + ": " + error.message } return response } ``` API Gateway converts this response into an HTTP error with a custom status code and body. In the trace map, the function node is green because it handled the error. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/tracemap-apig-404.png) # Select a method to invoke your Lambda function using an HTTP request API Gateway vs function URLs Many common use cases for Lambda involve invoking your function using an HTTP request. For example, you might want a web application to invoke your function through a browser request. Lambda functions can also be used to create full REST APIs, handle user interactions from mobile apps, process data from external services via HTTP calls, or create custom webhooks. The following sections explain what your choices are for invoking Lambda through HTTP and provide information to help you make the right decision for your particular use case. ## What are your choices when selecting an HTTP invoke method? What are your choices Lambda offers two main methods to invoke a function using an HTTP request - [function URLs](urls-configuration.md) and [API Gateway](services-apigateway.md). The key differences between these two options are as follows: + **Lambda function URLs** provide a simple, direct HTTP endpoint for a Lambda function. They are optimized for simplicity and cost-effectiveness and provide the fastest path to expose a Lambda function via HTTP. + **API Gateway** is a more advanced service for building fully-featured APIs. API Gateway is optimized for building and managing productions APIs at scale and provides comprehensive tools for security, monitoring, and traffic management. ## Recommendations if you already know your requirements Basic recommendations If you're already clear on your requirements, here are our basic recommendations: We recommend **[function URLs](urls-configuration.md)** for simple applications or prototyping where you only need basic authentication methods and request/response handling and where you want to keep costs and complexity to a minimum. **[API Gateway](services-apigateway.md)** is a better choice for production applications at scale or for cases where you need more advanced features like [OpenAPI Description](https://www.openapis.org/) support, a choice of authentication options, custom domain names, or rich request/response handling including throttling, caching, and request/response transformation. ## What to consider when selecting a method to invoke your Lambda function What to consider When selecting between function URLs and API Gateway, you need to consider the following factors: + Your authentication needs, such as whether you require OAuth or Amazon Cognito to authenticate users + Your scaling requirements and the complexity of the API you want to implement + Whether you need advanced features such as request validation and request/response formatting + Your monitoring requirements + Your cost goals By understanding these factors, you can select the option that best balances your security, complexity, and cost requirements. The following information summarizes the main differences between the two options. ### Authentication + **Function URLs** provide basic authentication options through AWS Identity and Access Management (IAM). You can configure your endpoints to be either public (no authentication) or to require IAM authentication. With IAM authentication, you can use standard AWS credentials or IAM roles to control access. While straightforward to set up, this approach provides limited options compared with other authenticaton methods. + **API Gateway** provides access to a more comprehensive range of authentication options. As well as IAM authentication, you can use [Lambda authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) (custom authentication logic), [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) user pools, and OAuth2.0 flows. This flexibility allows you to implement complex authentication schemes, including third-party authentication providers, token-based authentication, and multi-factor authentication. ### Request/response handling + **Function URLs** provide basic HTTP request and response handling. They support standard HTTP methods and include built-in cross-origin resource sharing (CORS) support. While they can handle JSON payloads and query parameters naturally, they don't offer request transformation or validation capabilities. Response handling is similarly straightforward – the client receives the response from your Lambda function exactly as Lambda returns it. + **API Gateway** provides sophisticated request and response handling capabilities. You can define request validators, transform requests and responses using mapping templates, set up request/response headers, and implement response caching. API Gateway also supports binary payloads and custom domain names and can modify responses before they reach the client. You can set up models for request/response validation and transformation using JSON Schema. ### Scaling + **Function URLs** scale directly with your Lambda function's concurrency limits and handle traffic spikes by scaling your function up to its maximum configured concurrency limit. Once that limit is reached, Lambda responds to additional requests with HTTP 429 responses. There's no built-in queuing mechanism, so handling scaling is entirely dependent on your Lambda function's configuration. By default, Lambda functions have a limit of 1,000 concurrent executions per AWS Region. + **API Gateway** provides additional scaling capabilities on top of Lambda's own scaling. It includes built-in request queuing and throttling controls, allowing you to manage traffic spikes more gracefully. API Gateway can handle up to 10,000 requests per second per region by default, with a burst capacity of 5,000 requests per second. It also provides tools to throttle requests at different levels (API, stage, or method) to protect your backend. ### Monitoring + **Function URLs** offer basic monitoring through Amazon CloudWatch metrics, including request count, latency, and error rates. You get access to standard Lambda metrics and logs, which show the raw requests coming into your function. While this provides essential operational visibility, the metrics are focused mainly on function execution. + **API Gateway** provides comprehensive monitoring capabilities including detailed metrics, logging, and tracing options. You can monitor API calls, latency, error rates, and cache hit/miss rates through CloudWatch. API Gateway also integrates with AWS X-Ray for distributed tracing and provides customizable logging formats. ### Cost + **Function URLs** follow the standard Lambda pricing model – you only pay for function invocations and compute time. There are no additional charges for the URL endpoint itself. This makes it a cost-effective choice for simple APIs or low-traffic applications if you don't need the additional features of API Gateway. + **API Gateway** offers a [free tier](https://aws.amazon.com/api-gateway/pricing/#Free_Tier) that includes one million API calls received for REST APIs and one million API calls received for HTTP APIs. After this, API Gateway charges for API calls, data transfer, and caching (if enabled). Refer to the API Gateway [pricing page](https://aws.amazon.com/api-gateway/pricing/) to understand the costs for your own use case. ### Other features + **Function URLs** are designed for simplicity and direct Lambda integration. They support both HTTP and HTTPS endpoints, offer built-in CORS support, and provide dual-stack (IPv4 and IPv6) endpoints. While they lack advanced features, they excel in scenarios where you need a quick, straightforward way to expose Lambda functions via HTTP. + **API Gateway** includes numerous additional features such as API versioning, stage management, API keys for usage plans, API documentation through Swagger/OpenAPI, WebSocket APIs, private APIs within a VPC, and WAF integration for additional security. It also supports canary deployments, mock integrations for testing, and integration with other AWS services beyond Lambda. ## Select a method to invoke your Lambda function Select an invoke method Now that you've read about the criteria for selecting between Lambda function URLs and API Gateway and the key differences between them, you can select the option that best meets your needs and use the following resources to help you get started using it. ------ #### [ Function URLs ] **Get started with function URLs with the following resources** + Follow the tutorial [Creating a Lambda function with a function URL](urls-webhook-tutorial.md) + Learn more about function URLs in the [Creating and managing Lambda function URLs](urls-configuration.md) chapter of this guide + Try the in-console guided tutorial **Create a simple web app** by doing the following: 1. Open the [functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console. 1. Open the help panel by choosing the icon in the top right corner of the screen. ![\[\]](http://docs.aws.amazon.com/lambda/latest/dg/images/console_help_screenshot.png) 1. Select **Tutorials**. 1. In **Create a simple web app**, choose **Start tutorial**. ------ #### [ API Gateway ] **Get started with Lambda and API Gateway with the following resources** + Follow the tutorial [Using Lambda with API Gateway](services-apigateway-tutorial.md) to create a REST API integrated with a backend Lambda function. + Learn more about the different kinds of API offered by API Gateway in the following sections of the *Amazon API Gateway Developer Guide*: + [API Gateway REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-rest-api.html) + [API Gateway HTTP APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api.html) + [API Gateway WebSocket APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api.html) + Try one or more of the examples in the [Tutorials and workshops](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-tutorials.html) section of the *Amazon API Gateway Developer Guide*. ------