Skip to main content
Deploy your Restate services as serverless functions on AWS Lambda. This guide covers project setup, packaging, and service registration.
For infrastructure as code, check out the Restate CDK construct library.

Set up your project

  • TypeScript
  • Python
  • Java
  • Kotlin
  • Go

Create your Restate + Typescript + Lambda repository

You can check out the template here: https://github.com/restatedev/lambda-typescript-templateSee the TypeScript serving docs for more details.

Package and deploy

Build a deployment package containing your application code and dependencies.
  • TypeScript
  • Python
  • Java
  • Kotlin
  • Go
Package your application as a zip file for Lambda:
npm run bundle
The Lambda handler to setup is app.handler.
Head over to your AWS dashboard to create the Lambda and upload the zip. For more details, follow the AWS Lambda documentation.

Role to invoke the Lambda

When using Cloud, you’ll need to create an IAM Role for Restate Cloud to invoke your Lambda. To set up the role, visit your Restate Cloud Dashboard at Developers > Security > AWS Lambda.

Register the service to Restate

In order for Restate to push requests to your Lambda function, you need to register the service to Restate using the CLI or UI: 
restate deployments register \
  arn:aws:lambda:region:account-id:function:function-name:version \
  --assume-role-arn <INVOKE_ROLE>
Always register a specific Lambda version (not $LATEST) to ensure Restate routes requests to a stable deployment. Check the versioning documentation for more info.
Once your service is registered, you can start sending requests to it.

CI/CD Automation

You can set up automation to upload a new Lambda version and register new Restate service versions.
  • TypeScript
  • Python
name: Deploy to AWS Lambda

on:
  push:
    branches:
      - main

permissions:
  id-token: write   # This is required for OIDC authentication
  contents: read    # This is required to checkout the repository

jobs:
  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    environment: production
    env:
      AWS_REGION: us-east-1

    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - uses: actions/setup-node@v5

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_TO_ASSUME }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Install dependencies
        run: npm ci
      - name: Build
        run: npm run build

      - name: Deploy Lambda Function
        uses: aws-actions/[email protected]
        id: deploy
        with:
          function-name: my-greeter
          code-artifacts-dir: dist
          handler: app.handler
          runtime: nodejs22.x
          publish: true

      - name: Register Restate deployment
        env:
          # Admin URL of your Cloud environment. You can find it in Developers > Admin URL: https://cloud.restate.dev/to/developers/integration#admin
          RESTATE_ADMIN_URL: ${{ secrets.RESTATE_ADMIN_URL }}
          # Auth token with Admin Role. To get one, go to Developers > API Keys > Create API Key: https://cloud.restate.dev?createApiKey=true&createApiKeyDescription=deployment-key&createApiKeyRole=rst:role::AdminAccess
          RESTATE_AUTH_TOKEN: ${{ secrets.RESTATE_AUTH_TOKEN }}
        run: npx -y @restatedev/restate deployment register -y ${{ steps.deploy.outputs.function-arn }} --assume-role-arn ${{ secrets.AWS_INVOKE_ROLE_TO_ASSUME }}
For this workflow to execute, you need to configure your AWS account for the Github OIDC provider. Then, add the following GitHub Actions repository secrets:
  • RESTATE_ADMIN_URL: The Admin URL. You can find it in Developers > Admin URL
  • RESTATE_AUTH_TOKEN: Your Restate Cloud auth token. To get one, go to Developers > API Keys > Create API Key, and make sure to select Admin for the role
  • AWS_INVOKE_ROLE_TO_ASSUME: The role created in the above paragraph to invoke the function
  • AWS_DEPLOY_ROLE_TO_ASSUME: The role to deploy the function, see below
To configure your account for the Github OIDC provider, run:
aws iam create-open-id-connect-provider \
    --url https://token.actions.githubusercontent.com \
    --client-id-list sts.amazonaws.com
To create the deploy role, head over to the AWS IAM console, and create a new role.The role should have the following Trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        },
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<GITHUB_REPO>:*"
        }
      }
    }
  ]
}
And the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaDeployPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunctionConfiguration",
        "lambda:CreateFunction",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:PublishVersion"
      ],
      "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:<FUNCTION_NAME>"
    },
    {
      "Sid":"PassRolesDefinition",
      "Effect":"Allow",
      "Action":[
        "iam:PassRole"
      ],
      "Resource":[
        "<AWS_INVOKE_ROLE_TO_ASSUME>"
      ]
    }
  ]
}
You can use this workflow with Self-hosted Restate as well, just make sure to correctly set up RESTATE_AUTH_TOKEN and RESTATE_ADMIN_URL to reach your Restate cluster.