Lambda — Attach
Progress checklist
Overview
Section titled “Overview”This page creates a simple Python Lambda function, configures it to run inside the VPC, and mounts the S3 file system at /mnt/s3files using the access point from the previous step.
-
Confirm base exports and resolve the Lambda role ARN. Required
Terminal window export AWS_REGION=ap-southeast-6export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)export VPC_ID=vpc-0123456789abcdef0 # ← replace with your VPC IDexport FUNCTION_NAME=s3files-demo# Resolve the Lambda role ARN by nameexport LAMBDA_ROLE_ARN=$(aws iam get-role \--role-name s3files-compute-role-lambda \--query 'Role.Arn' \--output text)echo "LAMBDA_ROLE_ARN=$LAMBDA_ROLE_ARN" -
Resolve the compute security group and choose a subnet. Required
The Lambda function must be in the same VPC as the mount targets. Use the compute security group from Security Groups which already has the NFS egress rule to the mount target SG.
Terminal window export COMPUTE_SG_ID=$(aws ec2 describe-security-groups \--filters \"Name=group-name,Values=s3files-lambda-compute-sg" \"Name=vpc-id,Values=$VPC_ID" \--region "$AWS_REGION" \--query 'SecurityGroups[0].GroupId' \--output text)echo "COMPUTE_SG_ID=$COMPUTE_SG_ID"export LAMBDA_SUBNET_ID=subnet-0123456789abcdef0 # ← subnet in the same AZ as a mount targetecho "LAMBDA_SUBNET_ID=$LAMBDA_SUBNET_ID" -
Attach
AWSLambdaVPCAccessExecutionRoleto the Lambda role. RequiredThis allows Lambda to create and manage the ENI needed to run inside a VPC:
Terminal window aws iam attach-role-policy \--role-name s3files-compute-role-lambda \--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole -
Package the Lambda function code. Required
Create a simple Python handler that lists the mounted file system:
Terminal window mkdir -p /tmp/lambda-s3filescat > /tmp/lambda-s3files/index.py <<'EOF'import osdef handler(event, context):path = '/mnt/s3files'try:entries = os.listdir(path)print(f"Contents of {path}: {entries}")return {'statusCode': 200, 'body': str(entries)}except Exception as e:return {'statusCode': 500, 'body': str(e)}EOFcd /tmp/lambda-s3files && zip lambda.zip index.py -
Create the Lambda function with VPC configuration. Required
Terminal window aws lambda create-function \--function-name "$FUNCTION_NAME" \--runtime python3.12 \--role "$LAMBDA_ROLE_ARN" \--handler index.handler \--zip-file fileb:///tmp/lambda-s3files/lambda.zip \--timeout 30 \--vpc-config "SubnetIds=${LAMBDA_SUBNET_ID},SecurityGroupIds=${COMPUTE_SG_ID}" \--region "$AWS_REGION"Wait for the function to become active:
Terminal window aws lambda wait function-active \--function-name "$FUNCTION_NAME" \--region "$AWS_REGION"echo "Function active" -
Attach the access point (file system config). Required
If
AP_ARNis not still set in your shell, resolve it:Terminal window export BUCKET=my-s3-files-bucket # ← replace with your real bucket nameexport BUCKET_ARN=arn:aws:s3:::${BUCKET}export FS_ID=$(aws s3files list-file-systems \--region "$AWS_REGION" \--bucket "$BUCKET_ARN" \--query 'fileSystems[0].fileSystemId' \--output text)export AP_ARN=$(aws s3files list-access-points \--file-system-id "$FS_ID" \--region "$AWS_REGION" \--query 'accessPoints[0].accessPointArn' \--output text)echo "AP_ARN=$AP_ARN"Update the function with the file system config:
Terminal window aws lambda update-function-configuration \--function-name "$FUNCTION_NAME" \--file-system-configs "Arn=${AP_ARN},LocalMountPath=/mnt/s3files" \--region "$AWS_REGION"aws lambda wait function-updated \--function-name "$FUNCTION_NAME" \--region "$AWS_REGION"echo "File system config attached" -
Verify the function configuration. Required
Terminal window aws lambda get-function-configuration \--function-name "$FUNCTION_NAME" \--region "$AWS_REGION" \--query '{State:State,VpcId:VpcConfig.VpcId,FileSystem:FileSystemConfigs[0].Arn}' \--output tableStatemust beActive, andFileSystemmust show the access point ARN.
Next step
Section titled “Next step”Continue to Verify to invoke the function and confirm the file system is accessible.