The AWS Lambda Walkthrough 2 uses AWS Lambda to automatically resize images added to one bucket, placing the resulting thumbnails in another bucket. The walkthrough documentation has a mix of aws-cli commands, instructions for hand editing files, and steps requiring the AWS console.
For my personal testing, I converted all of these to command line instructions that can simply be copied and pasted, making them more suitable for adapting into scripts and for eventual automation. I share the results here in case others might find this a faster way to get started with Lambda.
These instructions assume that you have already set up and are using an IAM user / aws-cli profile with admin credentials.
The following is intended as a companion to the Amazon walkthrough documentation, simplifying the execution steps for command line lovers. Read the AWS documentation itself for more details explaining the walkthrough.
Set up
Set up environment variables describing the associated resources:
Change to your own unique S3 bucket name:
source_bucket=alestic-lambda-example
# Do not change this. Walkthrough code assumes this name
target_bucket=${source_bucket}resized
function=CreateThumbnail
lambda_execution_role_name=lambda-$function-execution
lambda_execution_access_policy_name=lambda-$function-execution-access
lambda_invocation_role_name=lambda-$function-invocation
lambda_invocation_access_policy_name=lambda-$function-invocation-access
log_group_name=/aws/lambda/$function
Install some required software:
sudo apt-get install nodejs nodejs-legacy npm
Step 1.1: Create Buckets and Upload a Sample Object (walkthrough)
Create the buckets:
aws s3 mb s3://$source_bucket
aws s3 mb s3://$target_bucket
Upload a sample photo:
# by Hatalmas: https://www.flickr.com/photos/hatalmas/6094281702
wget -q -OHappyFace.jpg \
https://c3.staticflickr.com/7/6209/6094281702_d4ac7290d3_b.jpg
aws s3 cp HappyFace.jpg s3://$source_bucket/
Step 2.1: Create a Lambda Function Deployment Package (walkthrough)
Create the Lambda function nodejs code:
# JavaScript code as listed in walkthrough
wget -q -O $function.js \
http://run.alestic.com/lambda/aws-examples/CreateThumbnail.js
Install packages needed by the Lambda function code. Note that this is done under the local directory:
npm install async gm # aws-sdk is not needed
Put all of the required code into a ZIP file, ready for uploading:
zip -r $function.zip $function.js node_modules
Step 2.2: Create an IAM Role for AWS Lambda (walkthrough)
IAM role that will be used by the Lambda function when it runs.
lambda_execution_role_arn=$(aws iam create-role \
--role-name "$lambda_execution_role_name" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}' \
--output text \
--query 'Role.Arn'
)
echo lambda_execution_role_arn=$lambda_execution_role_arn
What the Lambda function is allowed to do/access. This is slightly tighter than the generic role policy created with the IAM console:
aws iam put-role-policy \
--role-name "$lambda_execution_role_name" \
--policy-name "$lambda_execution_access_policy_name" \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::'$source_bucket'/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::'$target_bucket'/*"
}
]
}'
Step 2.3: Upload the Deployment Package and Invoke it Manually (walkthrough)
Upload the Lambda function, specifying the IAM role it should use and other attributes:
# Timeout increased from walkthrough based on experience
aws lambda upload-function \
--function-name "$function" \
--function-zip "$function.zip" \
--role "$lambda_execution_role_arn" \
--mode event \
--handler "$function.handler" \
--timeout 30 \
--runtime nodejs
Create fake S3 event data to pass to the Lambda function. The key here is the source S3 bucket and key:
cat > $function-data.json <<EOM
{
"Records":[
{
"eventVersion":"2.0",
"eventSource":"aws:s3",
"awsRegion":"us-east-1",
"eventTime":"1970-01-01T00:00:00.000Z",
"eventName":"ObjectCreated:Put",
"userIdentity":{
"principalId":"AIDAJDPLRKLG7UEXAMPLE"
},
"requestParameters":{
"sourceIPAddress":"127.0.0.1"
},
"responseElements":{
"x-amz-request-id":"C3D13FE58DE4C810",
"x-amz-id-2":"FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD"
},
"s3":{
"s3SchemaVersion":"1.0",
"configurationId":"testConfigRule",
"bucket":{
"name":"$source_bucket",
"ownerIdentity":{
"principalId":"A3NL1KOZZKExample"
},
"arn":"arn:aws:s3:::$source_bucket"
},
"object":{
"key":"HappyFace.jpg",
"size":1024,
"eTag":"d41d8cd98f00b204e9800998ecf8427e",
"versionId":"096fKKXTRTtl3on89fVO.nfljtsv6qko"
}
}
}
]
}
EOM
Invoke the Lambda function, passing in the fake S3 event data:
aws lambda invoke-async \
--function-name "$function" \
--invoke-args "$function-data.json"
Look in the target bucket for the converted image. It could take a while to show up since the Lambda function is running asynchronously:
aws s3 ls s3://$target_bucket
Look at the Lambda function log output in CloudWatch:
aws logs describe-log-groups \
--output text \
--query 'logGroups[*].[logGroupName]'
log_stream_names=$(aws logs describe-log-streams \
--log-group-name "$log_group_name" \
--output text \
--query 'logStreams[*].logStreamName')
echo log_stream_names="'$log_stream_names'"
for log_stream_name in $log_stream_names; do
aws logs get-log-events \
--log-group-name "$log_group_name" \
--log-stream-name "$log_stream_name" \
--output text \
--query 'events[*].message'
done | less
Step 3.1: Create an IAM Role for Amazon S3 (walkthrough)
This role may be assumed by S3.
lambda_invocation_role_arn=$(aws iam create-role \
--role-name "$lambda_invocation_role_name" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"sts:ExternalId": "arn:aws:s3:::*"
}
}
}
]
}' \
--output text \
--query 'Role.Arn'
)
echo lambda_invocation_role_arn=$lambda_invocation_role_arn
S3 may invoke the Lambda function.
aws iam put-role-policy \
--role-name "$lambda_invocation_role_name" \
--policy-name "$lambda_invocation_access_policy_name" \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}'
Step 3.2: Configure a Notification on the Bucket (walkthrough)
Get the Lambda function ARN:
lambda_function_arn=$(aws lambda get-function-configuration \
--function-name "$function" \
--output text \
--query 'FunctionArn'
)
echo lambda_function_arn=$lambda_function_arn
Tell the S3 bucket to invoke the Lambda function when new objects are created (or overwritten):
aws s3api put-bucket-notification \
--bucket "$source_bucket" \
--notification-configuration '{
"CloudFunctionConfiguration": {
"CloudFunction": "'$lambda_function_arn'",
"InvocationRole": "'$lambda_invocation_role_arn'",
"Event": "s3:ObjectCreated:*"
}
}'
Step 3.3: Test the Setup (walkthrough)
Copy your own jpg and png files into the source bucket:
myimages=...
aws s3 cp $myimages s3://$source_bucket/
Look for the resized images in the target bucket:
aws s3 ls s3://$target_bucket
Check out the environment
These handy commands let you review the related resources in your acccount:
aws lambda list-functions \
--output text \
--query 'Functions[*].[FunctionName]'
aws lambda get-function \
--function-name "$function"
aws iam list-roles \
--output text \
--query 'Roles[*].[RoleName]'
aws iam get-role \
--role-name "$lambda_execution_role_name" \
--output json \
--query 'Role.AssumeRolePolicyDocument.Statement'
aws iam list-role-policies \
--role-name "$lambda_execution_role_name" \
--output text \
--query 'PolicyNames[*]'
aws iam get-role-policy \
--role-name "$lambda_execution_role_name" \
--policy-name "$lambda_execution_access_policy_name" \
--output json \
--query 'PolicyDocument'
aws iam get-role \
--role-name "$lambda_invocation_role_name" \
--output json \
--query 'Role.AssumeRolePolicyDocument.Statement'
aws iam list-role-policies \
--role-name "$lambda_invocation_role_name" \
--output text \
--query 'PolicyNames[*]'
aws iam get-role-policy \
--role-name "$lambda_invocation_role_name" \
--policy-name "$lambda_invocation_access_policy_name" \
--output json \
--query 'PolicyDocument'
aws s3api get-bucket-notification \
--bucket "$source_bucket"
Clean up
If you are done with the walkthrough, you can delete the created resources:
aws s3 rm s3://$target_bucket/resized-HappyFace.jpg
aws s3 rm s3://$source_bucket/HappyFace.jpg
aws s3 rb s3://$target_bucket/
aws s3 rb s3://$source_bucket/
aws lambda delete-function \
--function-name "$function"
aws iam delete-role-policy \
--role-name "$lambda_execution_role_name" \
--policy-name "$lambda_execution_access_policy_name"
aws iam delete-role \
--role-name "$lambda_execution_role_name"
aws iam delete-role-policy \
--role-name "$lambda_invocation_role_name" \
--policy-name "$lambda_invocation_access_policy_name"
aws iam delete-role \
--role-name "$lambda_invocation_role_name"
log_stream_names=$(aws logs describe-log-streams \
--log-group-name "$log_group_name" \
--output text \
--query 'logStreams[*].logStreamName') &&
for log_stream_name in $log_stream_names; do
echo "deleting log-stream $log_stream_name"
aws logs delete-log-stream \
--log-group-name "$log_group_name" \
--log-stream-name "$log_stream_name"
done
aws logs delete-log-group \
--log-group-name "$log_group_name"
If you try these instructions, please let me know in the comments where you had trouble or experienced errors.