Lambda functions. However, before we can create our functions we will need to configure our IAM (Identity and Access Management). It is important to note that setting up IAM services is not required for using functions, but we are following best practices and it is in your best interest to go ahead and follow the next couple of steps. We will dive into more advanced examples later that will require the use of IAM to use different services.
Security IAM
The IAM service is an incredibly important and integrated service within AWS. IAM lets you assign users, roles, and policies in order to help secure your Amazon resources.
IAM Console
The IAM console is found under Services and Security, Identity, and Compliance. The console gives you a dashboard, groups, users, roles, policies, identity providers, account settings, a credential report, and encryption keys. From the dashboard (Figure 3-7), you can access a user’s sign-in link. This is where users who are not admin users are directed to log in. It also gives you an overview of your IAM Resources, including the number of users, groups, customer-managed policies, roles, and identity providers.
Figure 3-7. The IAM dashboard gives you an overview of all of your IAM resources along with five security steps you are recommended to complete
ChApter 3 ■ AmAzoN WeB ServiCeS
To begin, it is important to complete the five steps listed in the Security Status console: deleting your root access keys, activating MFA (multi-factor authentication) on your root account, creating individual IAM users, creating groups for permissions, and applying an IAM password policy. By following these steps, you are ensuring that your IAM settings are properly secured so you can begin creating users and roles.
Roles, Policies, and Users
Roles, Policies, and Users are your means to set permissions to people, services, and resources. Roles are created under the Roles tab and allow you to create roles with set policies. These roles can be assigned to users and services. For instance, if I have a group of developers who I want to be able to edit and access Lambda and services, but not root account information, I can create a role called Developers.
After the role is created, I can assign certain policies to it. Policies determine the amount of access a role has to a service. Figure 3-8 demonstrates the Policy console with all of the preconfigured policies. You also have the option to create your own.
Policies describe the amount of access allowed to a particular service. For instance, the AdminstratorAccess policy gives you full access to all resources for all services.
The Users window lets you add users to AWS. They are given their own login and whatever roles and policies you attach to them. To access the console, users are given Access Keys and a password that are Figure 3-8. The Policies section allows you to create and assign policies. The attachments describe the entities (users and services).associated with a policy.
ChApter 3 ■ AmAzoN WeB ServiCeS
49
You also have the ability to add users to groups. Groups can be used to make permissions easier. If you have a group of users you want to all have admin access, you can add them to a group so all of the group policies are applied across the board. For the purpose of our serverless applications, we won’t be assigning users or groups, but it is good to keep these opportunities in mind as you build bigger applications with a larger group of people.Roles for Lambda
AWS requires you to assign a role to your Lambda functions. These roles can differ across Lambda functions as they require access to different AWS services. However, just to get started with our Hello World function, we are going to create an AWS Lambda role that can be assigned to our functions.
In the Roles tab, we will click the Create New Role option. We will name our role “lambda_basic_
execution.” Under permissions, we will attach the AWSLambdaExecute policy. If you look into this policy, you can see the exact permissions attached to it. The policy allows full access to CloudWatch to log our function, and provides read/write access to AWS S3. Figure 3-9 shows what the role should look like after creating it.
The Role ARN at the top of the console is the Amazon Resource Name. This is what uniquely identifies the role we just created. When we create our first function, we will assign our Lambda to this role, giving it all the permissions specified within the one attached policy.
Figure 3-9. The role has the AWSLambdaExecute policy attached to it. You can look into the policy to see the permissions attached, and you can also attach more policies as necessary.
ChApter 3 ■ AmAzoN WeB ServiCeS
Your First Code
Now that we have our IAM role set and a good feel for navigating the AWS console, we can begin writing our first code. This Hello World Lambda function is going to give us experience creating a Lambda function, assigning a role to it, creating a test event, executing it, and later viewing the logs in CloudWatch.
Hello World
We will start by creating a new function in the Lambda console. After clicking Create a Lambda Function, you will see a list of blueprint options (Figure 3-10). These blueprints give you a Lambda skeleton that you can edit to complete the functionality you are looking for. To start off, we are just going to select a blank function.
■Note the blueprints will change based on the language you choose. For instance, what you see for a
Node.js function will be different from what you see for a C# function.
Figure 3-10. AWS provides many blueprint options for various runtimes and triggers. These are good to explore if you are new to a particular runtime or service.
ChApter 3 ■ AmAzoN WeB ServiCeS