With Quarkus you can deploy your favorite Java HTTP frameworks as Amazon Lambda’s using either the AWS Gateway HTTP API or AWS Gateway REST API. This means that you can deploy your microservices written with RESTEasy (JAX-RS), Undertow (servlet), Vert.x Web, Funqy HTTP or any other Quarkus HTTP framework as an AWS Lambda.
You can deploy your Lambda as a pure Java jar, or you can compile your project to a native image and deploy that for a smaller memory footprint and startup time. Our integration also generates SAM deployment files that can be consumed by Amazon’s SAM framework.
Quarkus has a different extension for each Gateway API. The HTTP Gateway API is implemented within the quarkus-amazon-lambda-http extension.
The REST Gateway API is implemented within the quarkus-amazon-lambda-rest extension. If you are confused on which Gateway product to use,
Amazon has a great guide to help you navigate this decision.
To complete this guide, you need:
-
less than 30 minutes
-
JDK 11 (AWS requires JDK 1.8 or 11)
-
Apache Maven {maven-version}
This guide walks you through generating an example Java project via a maven archetype. Later on it walks through the structure of the project so you can adapt any existing projects you have to use Amazon Lambda.
Installing all the AWS bits is probably the most difficult thing about this guide. Make sure that you follow all the steps for installing AWS SAM CLI.
Create the Quarkus AWS Lambda maven project using our Maven Archetype.
If you want to use the AWS Gateway HTTP API, generate your project with this script:
mvn archetype:generate \
-DarchetypeGroupId=io.quarkus \
-DarchetypeArtifactId=quarkus-amazon-lambda-http-archetype \
-DarchetypeVersion={quarkus-version}If you want to use the AWS Gateway REST API, generate your project with this script:
mvn archetype:generate \
-DarchetypeGroupId=io.quarkus \
-DarchetypeArtifactId=quarkus-amazon-lambda-rest-archetype \
-DarchetypeVersion={quarkus-version}Build the project using maven.
./mvnw clean installThis will compile the code and run the unit tests included within the generated project. Unit testing is the same as any other Java project and does not require running on Amazon. Quarkus dev-mode is also available with this extension.
If you want to build for native too, make sure you have GraalVM installed correctly and just add a native property
to the build
./mvnw clean install -Dnative|
Note
|
If you are building on a non-Linux system, you will need to also pass in a property instructing quarkus to use a docker build as Amazon
Lambda requires linux binaries. You can do this by passing this property to your Maven build:
-Dnative-image.docker-build=true, or for Gradle: --docker-build=true. This requires you to have docker installed locally, however.
|
./mvnw clean install -Dnative -Dnative-image.docker-build=trueAfter you run the build, there are a few extra files generated by the quarkus lambda extension you are using. These files
are in the the build directory: target/ for maven, build/ for gradle.
-
function.zip- lambda deployment file -
sam.jvm.yaml- sam cli deployment script -
sam.native.yaml- sam cli deployment script for native
The AWS SAM CLI allows you to run your lambda’s locally on your laptop in a simulated Lambda environment. This requires docker to be installed (see their install docs). After you have built your maven project, execute this command
sam local start-api --template target/sam.jvm.yamlThis will start a docker container that mimics Amazon’s Lambda’s deployment environment. Once the environment is started you can invoke the example lambda in your browser by going to
In the console you’ll see startup messages from the lambda. This particular deployment starts a JVM and loads your lambda as pure Java.
sam deploy -t target/sam.jvm.yaml -gAnswer all the questions and your lambda will be deployed and the necessary hooks to the API Gateway will be set up. If everything deploys successfully, the root URL of your microservice will be output to the console. Something like this:
Key LambdaHttpApi Description URL for application Value https://234asdf234as.execute-api.us-east-1.amazonaws.com/
The Value attribute is the root URL for your lambda. Copy it to your browser and add hello at the end.
|
Note
|
Responses for binary types will be automatically encoded with base64. This is different than the behavior using
quarkus:dev which will return the raw bytes. Amazon’s API has additional restrictions requiring the base64 encoding.
In general, client code will automatically handle this encoding but in certain custom situations, you should be aware
you may need to manually manage that encoding.
|
To deploy a native executable, you must build it with Graal.
./mvnw clean install -DnativeYou can then test the executable locally with sam local
sam local start-api --template target/sam.native.yamlTo deploy to AWS Lambda:
sam deploy -t target/sam.native.yaml -gThere is nothing special about the POM other than the inclusion of the quarkus-amazon-lambda-http extension
(if you are deploying an AWS Gateway HTTP API) or the quarkus-amazon-lambda-rest extension (if you are deploy an AWS Gateway REST API).
These extensions automatically generate everything you might need for your lambda deployment.
Also, at least in the generated maven archetype pom.xml, the quarkus-resteasy, quarkus-vertx-web, and quarkus-undertow
dependencies are all optional. Pick which http framework(s) you want to use (JAX-RS, Vertx Web, and/or Servlet) and
remove the other dependencies to shrink your deployment.
The sam.yaml syntax is beyond the scope of this document. There’s a couple of things that must be highlighted just in case you are
going to craft your own custom sam.yaml deployment files.
The first thing to note is that for pure Java lambda deployments require a specific handler class. Do not change the Lambda handler name.
Properties:
Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
Runtime: java11This handler is a bridge between the lambda runtime and the Quarkus HTTP framework you are using (JAX-RS, Servlet, etc.)
If you want to go native, there’s an environment variable that must be set for native GraalVM deployments. If you look at sam.native.yaml
you’ll see this:
Environment:
Variables:
DISABLE_SIGNAL_HANDLERS: trueThis environment variable resolves some incompatibilities between Quarkus and the Amazon Lambda Custom Runtime environment.
Finally, there is one specific thing for AWS Gateway REST API deployments.
That API assumes that HTTP response bodies are text unless you explicitly tell it which media types are
binary through configuration. To make things easier, the Quarkus extension forces a binary (base 64) encoding of all
HTTP response messages and the sam.yaml file must configure the API Gateway to assume all media types are binary:
Globals:
Api:
EndpointConfiguration: REGIONAL
BinaryMediaTypes:
- "*/*"If you are using Resteasy and JAX-RS, you can inject various AWS Context variables into your JAX-RS resource classes
using the JAX-RS @Context annotation.
For the AWS HTTP API you can inject the AWS variables com.amazonaws.services.lambda.runtime.Context and
com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent. Here is an example:
import javax.ws.rs.core.Context;
import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
@Path("/myresource")
public class MyResource {
@GET
public String ctx(@Context com.amazonaws.services.lambda.runtime.Context ctx) { }
@GET
public String event(@Context APIGatewayV2HTTPEvent event) { }
@GET
public String requestContext(@Context APIGatewayV2HTTPEvent.RequestContext req) { }
}For the AWS REST API you can inject the AWS variables com.amazonaws.services.lambda.runtime.Context and
io.quarkus.amazon.lambda.http.model.AwsProxyRequestContext. Here is an example:
import javax.ws.rs.core.Context;
import io.quarkus.amazon.lambda.http.model.AwsProxyRequestContext;
import io.quarkus.amazon.lambda.http.model.AwsProxyRequest;
@Path("/myresource")
public class MyResource {
@GET
public String ctx(@Context com.amazonaws.services.lambda.runtime.Context ctx) { }
@GET
public String reqContext(@Context AwsProxyRequestContext req) { }
@GET
public String req(@Context AwsProxyRequest req) { }
}If you are building native images, and want to use AWS X-Ray Tracing with your lambda
you will need to include quarkus-amazon-lambda-xray as a dependency in your pom. The AWS X-Ray
library is not fully compatible with GraalVM so we had to do some integration work to make this work.
When you invoke an HTTP request on the API Gateway, the Gateway turns that HTTP request into a JSON event document that is forwarded to a Quarkus Lambda. The Quarkus Lambda parses this json and converts in into an internal representation of an HTTP request that can be consumed by any HTTP framework Quarkus supports (JAX-RS, servlet, Vert.x Web).
API Gateway supports many different ways to securely invoke on your HTTP endpoints that are backed by Lambda and Quarkus.
If you enable it, Quarkus will automatically parse relevant parts of the event json document
and look for security based metadata and register a java.security.Principal internally that can be looked up in JAX-RS
by injecting a javax.ws.rs.core.SecurityContext, via HttpServletRequest.getUserPrincipal() in servlet, and RouteContext.user() in Vert.x Web.
If you want more security information, the Principal object can be typecast to
a class that will give you more information.
To enable this security feature, add this to your application.properties file:
quarkus.lambda-http.enable-security=true
Here’s how its mapped:
quarkus-amazon-lambda-http| Auth Type | Principal Class | Json path of Principal Name |
|---|---|---|
Cognito JWT |
|
|
IAM |
|
|
Custom Lambda |
|
|
quarkus-amazon-lambda-rest| Auth Type | Principal Class | Json path of Principal Name |
|---|---|---|
Cognito |
|
|
IAM |
|
|
Custom Lambda |
|
|
The default support for AWS security only maps the principal name to Quarkus security
APIs and does nothing to map claims or roles or permissions. You have can full control
how security metadata in the lambda HTTP event is mapped to Quarkus security APIs using
implementations of the io.quarkus.amazon.lambda.http.LambdaIdentityProvider
interface. By implementing this interface, you can do things like define role mappings for your principal
or publish additional attributes provided by IAM or Cognito or your Custom Lambda security integration.
quarkus-amazon-lambda-httppackage io.quarkus.amazon.lambda.http;
/**
* Helper interface that removes some boilerplate for creating
* an IdentityProvider that processes APIGatewayV2HTTPEvent
*/
public interface LambdaIdentityProvider extends IdentityProvider<LambdaAuthenticationRequest> {
@Override
default public Class<LambdaAuthenticationRequest> getRequestType() {
return LambdaAuthenticationRequest.class;
}
@Override
default Uni<SecurityIdentity> authenticate(LambdaAuthenticationRequest request, AuthenticationRequestContext context) {
APIGatewayV2HTTPEvent event = request.getEvent();
SecurityIdentity identity = authenticate(event);
if (identity == null) {
return Uni.createFrom().optional(Optional.empty());
}
return Uni.createFrom().item(identity);
}
/**
* You must override this method unless you directly override
* IdentityProvider.authenticate
*
* @param event
* @return
*/
default SecurityIdentity authenticate(APIGatewayV2HTTPEvent event) {
throw new IllegalStateException("You must override this method or IdentityProvider.authenticate");
}
}For HTTP, the important method to override is LambdaIdentityProvider.authenticate(APIGatewayV2HTTPEvent event). From this
you will allocate a SecurityIdentity based on how you want to map security data from APIGatewayV2HTTPEvent
quarkus-amazon-lambda-restpackage io.quarkus.amazon.lambda.http;
import java.util.Optional;
import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
import io.quarkus.amazon.lambda.http.model.AwsProxyRequest;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.smallrye.mutiny.Uni;
/**
* Helper interface that removes some boilerplate for creating
* an IdentityProvider that processes APIGatewayV2HTTPEvent
*/
public interface LambdaIdentityProvider extends IdentityProvider<LambdaAuthenticationRequest> {
...
/**
* You must override this method unless you directly override
* IdentityProvider.authenticate
*
* @param event
* @return
*/
default SecurityIdentity authenticate(AwsProxyRequest event) {
throw new IllegalStateException("You must override this method or IdentityProvider.authenticate");
}
}For REST, the important method to override is LambdaIdentityProvider.authenticate(AwsProxyRequest event). From this
you will allocate a SecurityIdentity based on how you want to map security data from AwsProxyRequest.
Your implemented provider must be a CDI bean. Here’s an example:
package org.acme;
import java.security.Principal;
import javax.enterprise.context.ApplicationScoped;
import com.amazonaws.services.lambda.runtime.events.APIGatewayV2HTTPEvent;
import io.quarkus.amazon.lambda.http.LambdaIdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusPrincipal;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
@ApplicationScoped
public class CustomSecurityProvider implements LambdaIdentityProvider {
@Override
public SecurityIdentity authenticate(APIGatewayV2HTTPEvent event) {
if (event.getHeaders() == null || !event.getHeaders().containsKey("x-user"))
return null;
Principal principal = new QuarkusPrincipal(event.getHeaders().get("x-user"));
QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
builder.setPrincipal(principal);
return builder.build();
}
}Here’s the same example, but with the AWS Gateway REST API:
package org.acme;
import java.security.Principal;
import javax.enterprise.context.ApplicationScoped;
import io.quarkus.amazon.lambda.http.model.AwsProxyRequest;
import io.quarkus.amazon.lambda.http.LambdaIdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusPrincipal;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
@ApplicationScoped
public class CustomSecurityProvider implements LambdaIdentityProvider {
@Override
public SecurityIdentity authenticate(AwsProxyRequest event) {
if (event.getMultiValueHeaders() == null || !event.getMultiValueHeaders().containsKey("x-user"))
return null;
Principal principal = new QuarkusPrincipal(event.getMultiValueHeaders().getFirst("x-user"));
QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
builder.setPrincipal(principal);
return builder.build();
}
}Quarkus should automatically discover this implementation and use it instead of the default implementation discussed earlier.