Deploy a Rust programming language serverless Function-as-a-Service (FaaS)
Uses Amazon Web Services (AWS) Lambda, AWS CloudFormation (CFn), and Cargo Lambda
Install the AWS Command-Line Interface (CLI)
Install the AWS Serverless Application Model (SAM) CLI
Cargo Lambda Installation scoop bucket add cargo-lambda https://github.com/cargo-lambda/scoop-cargo-lambda
scoop install cargo-lambda/cargo-lambda
Start a Lambda server on your localhost
cd cargo-lambda-prototype/
cargo lambda watch
Test the Lambda function using your browser
Open a new command-line terminal
Invoke the Lambda function from the command line using example input data
Note the DEBUG output showing the location of the cached example input file
cargo lambda -v invoke \
--data-example apigw-request cargo-lambda-prototype \
--output-format json
Edit the cached example input file to change the name
Look for the name property under multiValueQueryStringParameters
Run the cargo lambda invoke command again
The output should show the changed name
You must build your Lambda before you can deploy it
cargo lambda build --release
Deploy Using Cargo Lambda
Activate your AWS access key via the AWS Console
Deploy the Lambda to the cloud
This will automatically generate a role for you
Note the generated URL
cargo lambda deploy --enable-function-url
Test
Example URL: https://[abc123].lambda-url.[region].on.aws/?name=World
Undeploy Using Cargo Lambda
It appears that Cargo Lambda does not currently have an undeploy option
So you will need to undeploy using the AWS CLI
Get the Lambda function details
You will need the name of the role for the Lambda function in a later step
This was the role that was automatically created for you when you deployed
aws lambda get-function --function-name cargo-lambda-prototype
Delete the Lambda function
aws lambda delete-function --function-name cargo-lambda-prototype
List the policies attached to the role
Note the ARN for the policy
aws iam list-attached-role-policies --role-name cargo-lambda-role-[UUID]
Detach the managed policy from the role
You cannot delete the role until you detach the policy
aws iam detach-role-policy \
--role-name cargo-lambda-role-[UUID] \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
aws iam delete-role --role-name cargo-lambda-role-[UUID]
Optional: Delete your CloudWatch log group
Deactivate your AWS access key via the AWS Console
Deploy Using a CloudFormation Template for the Role
Activate your AWS access key via the AWS Console
Validate the CloudFormation (CFn) template file
Note that the file is named template-role.yaml instead of template.yaml
aws cloudformation validate-template --template-body file://template-role.yaml
Create a CloudFormation (CFn) stack that defines a Lambda execution role
aws cloudformation create-stack \
--capabilities CAPABILITY_NAMED_IAM \
--stack-name cargo-lambda-prototype \
--template-body file://template-role.yaml
Get the Amazon Resource Name (ARN) for the created role
You might have to wait a bit until the stack has been created
aws iam get-role --role-name cargo-lambda-prototype
cargo lambda deploy --enable-function-url --iam-role [ROLE-ARN]
Undeploy Using a CloudFormation Template for the Role
Delete the Lambda function
aws lambda delete-function --function-name cargo-lambda-prototype
Wait a bit for the Lambda function to be deleted
Delete the CFn stack with the Lambda execution role
aws cloudformation delete-stack --stack-name cargo-lambda-prototype
Optional: Delete your CloudWatch log group
Deactivate your AWS access key via the AWS Console
Activate your AWS access key via the AWS Console
Validate the CloudFormation (CFn) template file
This is a different template file than the one used in a previous section
aws cloudformation validate-template --template-body file://template.yaml
Deploy the Lambda
When prompted for the stack name, cargo-lambda-prototype is a valid input
Whatever you choose for the stack name gets used in the resource names
Note the output URL
Test by using the output URL
Undeploy Using the SAM CLI
Delete the CFn stack for the Lambda function
Optional: Delete the CFn stack for the SAM S3 bucket
The stack and S3 bucket might have been created during the guided deploy
You cannot delete the stack until you have deleted the S3 bucket
It is easiest to delete the S3 bucket from the AWS Console
Because you have to empty it before you can delete it
Including versioned objects
The S3 bucket will have a name like the following with a random suffix
aws-sam-cli-managed-default-samclisourcebucket-[random]
aws cloudformation delete-stack --stack-name aws-sam-cli-managed-default
Deactivate your AWS access key via the AWS Console
Deploy Using Authentication
This example uses OpenID Connect (OIDC) on top of OAuth 2.0
Validate the CloudFormation (CFn) template file
This is a different template file than the one used in a previous section
aws cloudformation validate-template --template-body file://template-auth.yaml
Deploy the Lambda
Note the outputs CargoLambdaHttpApiUrl and CargoLambdaSignupUrl
sam deploy -t template-auth.yaml --guided
Test by using the output URL
In your browser or from the command line
You should get "Unauthorized" as the response
Example
curl https://a1b2c3.execute-api.us-east-1.amazonaws.com/?name=World
Open your browser
Open the browser developer console (F12) and start monitoring Network
Randomly generate a PKCE code verifier value and compute the code challenge
Proof Key for Code Exchange (PKCE)
The code challenge is computed by hashing and encoding the code verifier
There are online applications which will generate these values for you
https://tonyxu-io.github.io/pkce-generator/
Enter the CargoLambdaSignupUrl in your browser
This was one of the outputs of the CFn template
Replace the placeholder code_challenge value parameter value
Click on "Sign up" to create a new user account
Log in with the new user account
Note in the developer console Network monitoring the 302 redirect location
There should be a code parameter with a UUID value
Exchange the code for tokens
Replace the client_id, code, and code_verifier values
curl --location --request POST \
https://a1b2c3-d4e5f6.auth.us-east-1.amazoncognito.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=d4e5f6' \
--data-urlencode 'code=g7h8i9' \
--data-urlencode 'code_verifier=X1-y2_Z3' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'scope=openid' \
--data-urlencode 'redirect_uri=http://localhost:8080'
Extract the access_token from the response
It might be between the id_token and the refresh_token
Use the access_token to get the user information
curl -X GET \
https://a1b2c3-d4e5f6.auth.us-east-1.amazoncognito.com/oauth2/userInfo \
-H 'Authorization: Bearer <access_token>'
Use the access_token to access the Lambda function
You will not get "Unauthorized" this time
curl -X GET \
https://a1b2c3.execute-api.us-east-1.amazonaws.com/ \
-H 'Authorization: Bearer <access_token>'
You can also use the id_token to access the Lambda function
curl -X GET \
https://a1b2c3.execute-api.us-east-1.amazonaws.com/ \
-H 'Authorization: Bearer <id_token>'
Undeploy Using Authentication
Delete the CFn stack for the Lambda function
Deactivate your AWS access key via the AWS Console
Cargo Lambda
Jinlian (Sunny) Wang, "User authentication through authorization code grant
type using AWS Cognito with sample projects", 2021
Efi Merdler-Kravitz, "'Rustifying' serverless: Boost AWS Lambda peformance
with Rust", 2023
productioncoder, "OAuth Proof Key for Code Exchange explained", 2021
Create lambda_http
Initial release: 2023-12-01
