open-consul/website/content/docs/lambda/registration/index.mdx

---
layout: docs
page_title: Lambda Function Registration Requirements
description: >-
  This topic provides an overview of how to register AWS Lambda functions with Consul service mesh and describes the requirements and prerequisites for registering Lambda functions with Consul.
---
# Lambda Function Registration Requirements

Verify that your network meets the requirements and that you have completed the prerequisites before registering Lambda functions.

## Introduction

You can either manually register AWS Lambda functions with Consul or use the Lambda registrator to automatically synchronize Lambda state into Consul. We recommend using the Lambda registrator when possible so that you can keep the configuration entry up to date. The registrator automatically registers, reconfigures, and deregisters Lambdas based on the Lambda function's tags. 

## Requirements

Consul 1.12.1 and later

## Prerequisites

Complete the following prerequisites prior to registering your Lambda functions. You only need to perform these steps once.

### Enable the Serverless Plugin

Add the following configuration to all Consul clients:

`connect { enable_serverless_plugin = true, connect = true }`

Refer to the [`enable_serverless_plugin`](/docs/agent/config/config-files#connect_enable_serverless_plugin) configuration documentation for additional information.

### Configure IAM Permissions for Envoy

The Envoy proxy that invokes Lambda must have the `lambda:InvokeFunction` AWS IAM
permissions. In the following example, the IAM policy
enables an IAM user or role to invoke the `example` Lambda function:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Invoke",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:lambda:us-east-1:123456789012:function:example"
        }
    ]
}
```

Define AWS IAM credentials in environment variables, EC2 metadata or
ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions.

### Optional: Set up a Terminating Gateway

If you intend to invoke Lambda services through a terminating gateway, the gateway must be registered and running in the Consul datacenter. Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway:

- [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways)
- [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways)
- [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services)

To register a Lambda service with a terminating gateway, add the service to the
`Services` field of the terminating gateway's `terminating-gateway`
configuration entry.

### Optional: Run a Mesh Gateway

You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways:

- [Mesh gateway documentation](/docs/connect/gateways#mesh-gateways)
- [Connect Services Across Datacenters with Mesh Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways)
- [Secure Service Mesh Communication Across Kubernetes Clusters tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-mesh-gateways?utm_source=docs?in=consul/kubernetes)

When using admin partitions, you must add Lambda services to the `Services`
field of [the `exported-services` configuration
entry](/docs/connect/config-entries/exported-services).