Approaching the end of this chapter, we have a latest step, which is deploying our code to the cloud. In the next chapters, we will learn how to use CloudFormation for a production-ready deployment process. However, nothing is preventing us from using CLI to play a bit with Lambda at this stage.
Previously, we mentioned that AWS resources are protected by IAM policies and created a user and attached a policy to it. IAM has another entity type, which is called a role. Roles are very similar to users, and they are also identities and can access resources that are allowed by policies attached to them. However, while a user is associated with one person, roles can be assumed by whoever needs them. Lambda functions use roles to access other AWS resources. Every Lambda function should be associated with a role (execution role), and the Lambda function can call any resource that the policies attached to that role allow.
In the following chapters, while we create our CloudFormation stack, we will create very advanced role definitions. However, at this stage, our test Lambda function does not need to access any AWS resources; thus, a basic role with minimum access rights will be sufficient to run the example. In this section, you create an IAM role using the following predefined role type and access policy:
- The AWS service role of the AWS Lambda type. This role grants AWS Lambda permission to assume the role.
- The AWSLambdaBasicExecutionRole access policy that you attach to the role. This managed policy grants permissions for Amazon CloudWatch actions that your Lambda function needs for logging and monitoring.
To create the IAM role:
- Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Roles and then choose Create New Role.
- Enter a role name, say, lambda-execution-role, and then choose Next Step.
- On the next screen, select AWS Lambda in the AWS Service Roles section.
- In Attach Policy, choose AWSLambdaBasicExecutionRole and then proceed.
- Take down the ARN of the role you just created.
Now we are ready to deploy our first Lambda function. First, let's build our project again using the build command:
$ ./gradlew build
Check whether the uber-JAR file is created in the build folder. Then, create the function using AWS CLI:
$ aws lambda create-function \
--region us-east-1\
--function-name book-test \
--runtime java8 \
--role ROLE_ARN_YOU_CREATED \
--handler com.serverlessbook.lambda.test.Handler \
--zip-file fileb://${PWD}/lambda-test/build/libs/
lambda-test-1.0-all.jar
If everything goes well, the following happens:
{
"CodeSha256": "6cSUk4g8GdlhvApF6LfpT1dCOgemO2LOtrH7pZ6OATk=",
"FunctionName": "book-test",
"CodeSize": 1481805,
"MemorySize": 128,
"FunctionArn": "arn:aws:lambda:us-east-1:YOUR_ACCOUNT_ID:
function:book-test",
"Version": "$LATEST",
"Role": "arn:aws:iam::YOUR_ACCOUNT-ID:role/lambda-execution-role",
"Timeout": 3,
"LastModified": "2016-08-22T22:12:30.419+0000",
"Handler": "com.serverlessbook.lambda.test.Handler",
"Runtime": "java8",
"Description": ""
}
This means that your function has already been created. You can navigate to https://eu-central-1.console.aws.amazon.com/lambda to check whether your function is already there or not. To execute the function, you can use the following command:
$ aws lambda invoke --invocation-type RequestResponse \
--region us-east-1 \
--profile serverlessbook \
--function-name book-test \
--payload '{"value":"test"}' \
--log-type Tail \
/tmp/test.txt
You can see the output value in the /tmp/test.txt file and try the command with different values to see different outputs. Note that the first invocation is always slower, while the subsequent calls are significantly faster. This is because of the heat-up mechanism of AWS Lambda that we will mention later in the book.
Congratulations, and welcome to the world of AWS Lambda officially!