This repository builds an AWS Lambda Layer that allows your Lambda functions (running on arm64) to connect to your Tailscale network and expose a local SOCKS5 proxy (localhost:1055).
It is designed to run ephemerally during the Lambda's execution lifecycle. The layer handles pulling the arm64 static binaries directly from Tailscale and structuring the layer correctly (extensions/ and bin/).
- Write Once, Use Everywhere: The layer exports its ARN via CloudFormation (
Export: Name: TailscaleExtensionArm64Arn), allowing any other SAM application to simply reference the export using!ImportValue TailscaleExtensionArm64Arn. - ARM64 Native: explicitly targets
arm64(Graviton) to align with standard deployment architectures. - No Docker Required: SAM builds the layer locally by downloading the static tarballs without requiring Docker.
When attaching this layer to a Lambda, you must provide:
TS_SECRET_API_KEY: The name/ID of an AWS Secrets Manager secret containing your Tailscale Ephemeral/Reusable Auth Key.TS_HOSTNAME: The hostname you want this ephemeral node to use in the Tailscale admin panel.
Note: The Lambda Execution Role must have secretsmanager:GetSecretValue permissions for the specified secret.
sam build
sam deploy --guided