Problem

We've been asked for an API that will work at web scale and be cost effective. A serverless API is perfect for this.

What are the constituent parts needed to start working with the AWS SDK with Python and steps needed to write and execute a serverless script with AWS Lambda. How can this script be invoked by an HTTP endpoint?

Solution

The companion repo consists utility code for deploying the lambda with boto3 as well as detail on the AWS API Gateway service that provides an endpoint to invoke the serverless function.

This is the end product; A serverless endpoint.

End product - a simple serverless endpoint

The code can be found on Github..

Once cloned, install dependencies, set your AWS account ID as an environment variable and run it.

(venv) (base) $ python src/main.py 

✅ Remove existing named lambda/api
✅ Create the lambda
✅ Deploy the lambda
✅ Remove any existing API
✅ Create API
✅ Deploy API
✅ Test API
SERVERLESS ENDPOINT RESPONSE from https://qvaik2un06.execute-api.eu-west-2.amazonaws.com/hello-world : 
b'{"querystring_params:": {}, "err": null, "message": "Hello Serverless World"}'

Setup: Creating the Lambda function and deploying

Python module structure

Like this

lambdapi
├── src 
│   ├── __init__.py
│   ├── settings.py         # constants like AWS account
│   ├── main.py             # run me for instant results
|   └─── python_lambdas                   
|   |   └─── hello_world.py # serverless python function
│   ├── api_gateway.py      # boto3 for api_gateway
│   ├── lambda_functions.py # boto3 lambda
│   └── helpers.py          # file operations
└── ...

AWS Permissions with IAM

IAM Resources used - policies and roles.

IAM Policies define the effect, actions, resources and optional conditions in a JSON document.

An IAM user is a person or service that interacts with AWS with their own access to the management console. A user can have a policy attached to them. In this case it is more appropriate to grant policy access with an IAM role. When assuming an IAM role (see Trusted Entity), access to a service can be granted to a user without having to give them new keys as the user can use temporary security tokens.

Create an IAM Lambda access policy for IAM using an IAM client that you create.

The access definition is provided in an s3_access_policy_document

  • JSON dictionary
  • Action key Statement with
    • all S3 permissions
    • Cloudwatch to create log groups and streams for monitoring of the lamdba events

After creating a policy, create role and attach it to an execution role by assuming the role.

Verifying the Lambda was created on AWS Console

By way of sanity check, we can verify the Lambda function has been uploaded in the AWS Console.

For the appropriate region, you may see the function, memory, timeout and our chosen permissions.

Animation of Console

## Testing the endpoint

## Parting Note

This brief walkthrough essentially achieves the same solution as the AWS Serverless Application model 'Hello World' tutorial.

Alternative Solution

The AWS Serverless Application Model is a framework that allows you to build and deploy serverless applications.

You may declare the lambda functions to be used and additional resources like APIs and database in a YAML template. It uses an implementation of AWS CloudFormation to define these resources provides myriad other benefits.

The AWS Hello World SAM tutorial covers what we outlined manually above and also shows how to run the Lambda and API route locally and remove the CloudFormation stack to clean up.

However, when dissecting software to understand a technique, it's always useful to strip away layers of abstraction.

Resources used: with thanks 💚