This is the newAWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see theAWS CloudFormation User Guide.
AWS::Lambda::Function
TheAWS::Lambda::Function resource creates a Lambda function. To create a function, you need adeployment package and anexecution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.
You set the package type toImage if the deployment package is acontainer image. For these functions, include the URI of the container image in the Amazon ECR registry in theImageUri property of theCode property. You do not need to specify the handler and runtime properties.
You set the package type toZip if the deployment package is a.zip file archive. For these functions, specify the Amazon S3 location of your .zip file in theCode property. Alternatively, for Node.js and Python functions, you can define your function inline in theZipFile property of theCode property. In both cases, you must also specify the handler and runtime properties.
You can usecode signing if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package withUpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.
When you update aAWS::Lambda::Function resource, CloudFormation calls theUpdateFunctionConfiguration andUpdateFunctionCodeLambda APIs under the hood. Because these calls happen sequentially, and invocations can happen between these calls, your function may encounter errors in the time between the calls. For example, if you remove an environment variable, and the code that references that environment variable in the same CloudFormation update, you may see invocation errors related to a missing environment variable. To work around this, you can invoke your function against a version or alias by default, rather than the$LATEST version.
Note that you configure provisioned concurrency on aAWS::Lambda::Version or aAWS::Lambda::Alias.
For a complete introduction to Lambda functions, seeWhat is Lambda? in theLambda developer guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Lambda::Function", "Properties" :{ "Architectures" :[ String, ... ], "Code" :Code, "CodeSigningConfigArn" :String, "DeadLetterConfig" :DeadLetterConfig, "Description" :String, "Environment" :Environment, "EphemeralStorage" :EphemeralStorage, "FileSystemConfigs" :[FileSystemConfig, ... ], "FunctionName" :String, "Handler" :String, "ImageConfig" :ImageConfig, "KmsKeyArn" :String, "Layers" :[ String, ... ], "LoggingConfig" :LoggingConfig, "MemorySize" :Integer, "PackageType" :String, "RecursiveLoop" :String, "ReservedConcurrentExecutions" :Integer, "Role" :String, "Runtime" :String, "RuntimeManagementConfig" :RuntimeManagementConfig, "SnapStart" :SnapStart, "Tags" :[Tag, ... ], "Timeout" :Integer, "TracingConfig" :TracingConfig, "VpcConfig" :VpcConfig }}YAML
Type: AWS::Lambda::FunctionProperties:Architectures: - StringCode:CodeCodeSigningConfigArn:StringDeadLetterConfig:DeadLetterConfigDescription:StringEnvironment:EnvironmentEphemeralStorage:EphemeralStorageFileSystemConfigs: -FileSystemConfigFunctionName:StringHandler:StringImageConfig:ImageConfigKmsKeyArn:StringLayers: - StringLoggingConfig:LoggingConfigMemorySize:IntegerPackageType:StringRecursiveLoop:StringReservedConcurrentExecutions:IntegerRole:StringRuntime:StringRuntimeManagementConfig:RuntimeManagementConfigSnapStart:SnapStartTags: -TagTimeout:IntegerTracingConfig:TracingConfigVpcConfig:VpcConfigProperties
ArchitecturesThe instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is
x86_64.Required: No
Type: Array of String
Allowed values:
x86_64 | arm64Minimum:
1Maximum:
1Update requires:No interruption
CodeThe code for the function. You can define your function code in multiple ways:
For .zip deployment packages, you can specify the Amazon S3 location of the .zip file in the
S3Bucket,S3Key, andS3ObjectVersionproperties.For .zip deployment packages, you can alternatively define the function code inline in the
ZipFileproperty. This method works only for Node.js and Python functions.For container images, specify the URI of your container image in the Amazon ECR registry in the
ImageUriproperty.
Required: Yes
Type:Code
Update requires:No interruption
CodeSigningConfigArnTo enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configurationincludes a set of signing profiles, which define the trusted publishers for this function.
Required: No
Type: String
Pattern:
arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:\d{12}:code-signing-config:csc-[a-z0-9]{17}Update requires:No interruption
DeadLetterConfigA dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, seeDead-letter queues.
Required: No
Type:DeadLetterConfig
Update requires:No interruption
DescriptionA description of the function.
Required: No
Type: String
Maximum:
256Update requires:No interruption
EnvironmentEnvironment variables that are accessible from function code during execution.
Required: No
Type:Environment
Update requires:No interruption
EphemeralStorageThe size of the function's
/tmpdirectory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB.Required: No
Type:EphemeralStorage
Update requires:No interruption
FileSystemConfigsConnection settings for an Amazon EFS file system. To connect a function to a file system, a mount target must be available in every Availability Zone that your function connects to. If your template contains anAWS::EFS::MountTarget resource, you must also specify a
DependsOnattribute to ensure that the mount target is created or updated before the function.For more information about using the
DependsOnattribute, seeDependsOn Attribute.Required: No
Type: Array ofFileSystemConfig
Maximum:
1Update requires:No interruption
FunctionNameThe name of the Lambda function, up to 64 characters in length. If you don't specify a name, AWS CloudFormation generates one.
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Minimum:
1Update requires:Replacement
HandlerThe name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, seeLambda programming model.
Required: No
Type: String
Pattern:
^[^\s]+$Maximum:
128Update requires:No interruption
ImageConfigConfiguration values that override the container image Dockerfile settings. For more information, seeContainer image settings.
Required: No
Type:ImageConfig
Update requires:No interruption
KmsKeyArnThe ARN of the AWS Key Management Service (AWS KMS) customer managed key that's used to encrypt the following resources:
The function'senvironment variables.
The function'sLambda SnapStart snapshots.
When used with
SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see Specifying a customer managed key for Lambda.The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, seeFunction lifecycle.
If you don't provide a customer managed key, Lambda uses anAWS owned key or anAWS managed key.
Required: No
Type: String
Pattern:
^(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()$Update requires:No interruption
LayersA list offunction layers to add to the function's execution environment. Specify each layer by its ARN, including the version.
Required: No
Type: Array of String
Update requires:No interruption
LoggingConfigThe function's Amazon CloudWatch Logs configuration settings.
Required: No
Type:LoggingConfig
Update requires:No interruption
MemorySizeThe amount ofmemory available to the function at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.
Required: No
Type: Integer
Minimum:
128Maximum:
10240Update requires:No interruption
PackageTypeThe type of deployment package. Set to
Imagefor container image and setZipfor .zip file archive.Required: No
Type: String
Allowed values:
Image | ZipUpdate requires:Replacement
RecursiveLoopThe status of your function's recursive loop detection configuration.
When this value is set to
Allowand Lambda detects your function being invoked as part of a recursive loop, it doesn't take any action.When this value is set to
Terminateand Lambda detects your function being invoked as part of a recursive loop, it stops your function being invoked and notifies you.Required: No
Type: String
Allowed values:
Allow | TerminateUpdate requires:No interruption
ReservedConcurrentExecutionsThe number of simultaneous executions to reserve for the function.
Required: No
Type: Integer
Minimum:
0Update requires:No interruption
RoleThe Amazon Resource Name (ARN) of the function's execution role.
Required: Yes
Type: String
Pattern:
^arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+$Update requires:No interruption
RuntimeThe identifier of the function's runtime. Runtime is required if the deployment package is a .zip file archive. Specifying a runtime results in an error if you're deploying a function using a container image.
The following list includes deprecated runtimes. Lambda blocks creating new functions and updating existing functions shortly after each runtime is deprecated. For more information, seeRuntime use after deprecation.
For a list of all currently supported runtimes, seeSupported runtimes.
Required: No
Type: String
Allowed values:
nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | dotnet8 | nodejs4.3-edge | go1.x | ruby2.5 | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | ruby3.2 | ruby3.3 | ruby3.4 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21 | python3.13 | nodejs22.xUpdate requires:No interruption
RuntimeManagementConfigSets the runtime management configuration for a function's version. For more information, seeRuntime updates.
Required: No
Update requires:No interruption
SnapStartThe function'sAWS Lambda SnapStart setting.
Required: No
Type:SnapStart
Update requires:No interruption
TagsA list oftags to apply to the function.
You must have the
lambda:TagResource,lambda:UntagResource, andlambda:ListTagspermissions for yourIAM principal to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.Required: No
Type: Array ofTag
Update requires:No interruption
TimeoutThe amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, seeLambda execution environment.
Required: No
Type: Integer
Minimum:
1Update requires:No interruption
TracingConfigSet
ModetoActiveto sample and trace a subset of incoming requests withX-Ray.Required: No
Type:TracingConfig
Update requires:No interruption
VpcConfigFor network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, seeConfiguring a Lambda function to access resources in a VPC.
Required: No
Type:VpcConfig
Update requires:No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsicRef function,Ref returns the resource name.
For more information about using theRef function, seeRef.
Fn::GetAtt
TheFn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using theFn::GetAtt intrinsic function, seeFn::GetAtt.
ArnThe Amazon Resource Name (ARN) of the function.
SnapStartResponse.ApplyOnProperty description not available.
SnapStartResponse.OptimizationStatusProperty description not available.
Examples
Function
Create a Node.js function.
JSON
"AMIIDLookup":{ "Type": "AWS::Lambda::Function", "Properties":{ "Handler": "index.handler", "Role":{ "Fn::GetAtt": [ "LambdaExecutionRole", "Arn" ] }, "Code":{ "S3Bucket": "amzn-s3-demo-bucket", "S3Key": "amilookup.zip" }, "Runtime": "nodejs20.x", "Timeout": 25, "TracingConfig":{ "Mode": "Active" } }}Inline Function
Inline Node.js function that lists Amazon S3 buckets in us-east-1. Before using this example, make sure that your execution role has Amazon S3 read permissions.
YAML
AWSTemplateFormatVersion: '2010-09-09'Description: Lambda function ListBucketsCommand.Resources: primer: Type: AWS::Lambda::Function Properties: Runtime: nodejs20.x Role: arn:aws:iam::111122223333:role/lambda-role Handler: index.handler Code: ZipFile: | const{ S3Client, ListBucketsCommand } = require("@aws-sdk/client-s3"); const s3 = new S3Client({ region: "us-east-1" }); // replace "us-east-1" with your AWS Region exports.handler = async function(event){ const command = new ListBucketsCommand({}); const response = await s3.send(command); return response.Buckets; }; Description: List Amazon S3 buckets in us-east-1. TracingConfig: Mode: ActiveVPC Function
Function connected to a VPC.
YAML
AWSTemplateFormatVersion: '2010-09-09'Description: VPC function.Resources: Function: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: arn:aws:iam::111122223333:role/lambda-role Code: S3Bucket: amzn-s3-demo-bucket S3Key: function.zip Runtime: nodejs20.x Timeout: 5 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: - sg-085912345678492fb SubnetIds: - subnet-071f712345678e7c8 - subnet-07fd123456788a036