Hello World Lambda Application

This application represents one of the simplest operations frequently performed in Lambda functions: making an HTTP request to a third party.

No other operations will be permitted such as reading from the filesystem (other than require() statements, of course) or executing child processes. We won't even be able to make requests which do not match the URL patterns as described in our policies.

Code for handler.js

This file is the entry point to our Lambda handler and is an unmodified application; that is to say, there is no Intrinsic-specific code or changes made to the application code:

const http = require('http');

exports.helloworld = (event, context, callback) => {
  http.get('http://www.intrinsic.com', res => {
    res.on('error', callback);
    const received = [];

    res.on('data', data => {

    res.once('end', () => {
      callback(null, {
        len: Buffer.concat(received).length

This handler would normally be called by AWS using the name handler.helloworld. Once invoked it makes a GET request to www.intrinsic.com. Once the handler is complete, the size of the outbound request is provided in the response.

Code for intrinsic.js

This file will load the Intrinsic for Lambda module, define our different policies, and expose a Lambda handler of its own. Ultimately this handler will end up calling the handler used by the real application. The Lambda handler with Intrinsic enabled is intrinsic.helloworld.

In the case of our sample application we only want to create a single policy, which whitelists GET requests made to http://www.intrinsic.com. (For more information on these types of policies, be sure to check out the section on HTTP Policies.)

const IntrinsicLambda = require('@intrinsic/lambda');

module.exports = new IntrinsicLambda()
  .configurePolicies(policy => {

Toggling Intrinsic without Deploying

The AWS CLI utility is quite powerful. One of the features offered by its lambda subcommand is the ability to reconfigure functions at runtime, without the need to update code or deploy a new zip file.

Assuming you are following the above pattern where we have two files, the first being handler.js and the second being intrinsic.js, we can use the CLI to enable and disable Intrinsic for Lambda.

Enable Intrinsic

This call will enable Intrinsic for Lambda:

aws lambda update-function-configuration \
  --function-name MyFunctionName \
  --handler intrinsic.helloworld

Future calls to the handler will pass through the protected Intrinsic handler.

Disable Intrinsic

This call will disable Intrinsic for Lambda:

aws lambda update-function-configuration \
  --function-name MyFunctionName \
  --handler handler.helloworld

Future calls to the handler will go directly to the unprotected application handler.