Skip to content

Add Lambda MicroVMs with S3 Files pattern#3206

Open
bfreiberg wants to merge 1 commit into
aws-samples:mainfrom
bfreiberg:lambda-microvm-s3files
Open

Add Lambda MicroVMs with S3 Files pattern#3206
bfreiberg wants to merge 1 commit into
aws-samples:mainfrom
bfreiberg:lambda-microvm-s3files

Conversation

@bfreiberg

@bfreiberg bfreiberg commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

AWS Lambda MicroVMs with Amazon S3 Files

Adds lambda-microvm-s3files/ — a pattern that mounts an Amazon S3 bucket as a POSIX file system inside an AWS Lambda MicroVM (Firecracker-isolated, snapshot-resumable serverless compute) over NFS, reachable through a VPC egress network connector, with changes synchronized to and from S3 in both directions.

How it works

  • CloudFormation (AWS SAM) provisions everything that has a resource type: the data S3::Bucket (versioning on), the S3Files::FileSystem / MountTarget / AccessPoint, the NFS security group, the Lambda::NetworkConnector (VPC egress), the IAM roles, the CloudWatch log group, and the Lambda::MicrovmImage.
  • A small src/run.sh helper performs the two data-plane steps that have no CloudFormation resource: packaging/uploading the app artifact (read by the image build) and launching the MicroVM via RunMicrovm + minting an auth token.
  • The S3 Files mount happens in the MicroVM's /run lifecycle hook (the VPC connector and execution-role credentials only exist at run time), and re-mounts on /resume.

Contents

  • template.yaml — the SAM/CloudFormation template
  • example-pattern.json — Serverless Land metadata
  • src/app.py (Flask app + lifecycle hooks), Dockerfile (AL2023 + amazon-efs-utils), run.sh
  • README.md — requirements, deployment, how-it-works, testing, cleanup

Testing

Verified end-to-end in us-west-2: sam deployrun.sh run ("mounted": true) → run.sh prove confirms bidirectional sync (a file written through the mount appears in S3; a file written to S3 is read back through the mount).

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT-0 license.

Mount an Amazon S3 bucket as a POSIX file system inside an AWS Lambda MicroVM
(Firecracker-isolated, snapshot-resumable serverless compute) over NFS, reachable
through a VPC egress network connector, with bidirectional S3 sync.

CloudFormation (AWS SAM) provisions the data bucket, the S3 Files file system /
mount target / access point, the VPC egress network connector, the IAM roles,
the CloudWatch log group, and the MicroVM image (AWS::Lambda::MicrovmImage). A
small src/run.sh helper performs the data-plane steps that have no CloudFormation
resource: packaging the app artifact and launching the MicroVM (RunMicrovm).

Verified end-to-end in us-west-2: deploy -> run -> bidirectional S3 Files sync.
@bfreiberg bfreiberg marked this pull request as ready for review June 30, 2026 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants