Adding an Alexa Skills Kit Permission w/ InvokeFunction Permissions After Deploying w/ SAM CLI

aws-sam-cli-alexa-skill-id.sh

#!/usr/bin/env bash

# Push package to S3 bucket
$STACK_NAME="hello-world-dev"
sam deploy \
    --template-file packaged.yaml \
    --stack-name $STACK_NAME \
    --capabilities CAPABILITY_IAM

# Setup Alexa Skills Kit skill ID
GOOD_ALEXA="amzn1.ask.skill.xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
LAMBDA_ARN=`aws cloudformation describe-stacks --stack-name $STACK_NAME | grep "OutputValue.*:lambda:*" | sed s/.*\"arn/arn/ | sed s/\",//`

# [As of 01/11/19]
# NOTE: If you have deployed via sam-cli, with an AlexaSkillEvent configuration included in your template.yaml,
#    the following code needs to be executed to remove it because it is useless without an Alexa Skill Kit skill Id
# BAD_ALEXA=`aws lambda get-policy --function-name $LAMBDA_ARN --output text | sed s/.*Sid\"\:\"// | sed s/\".*//`
# aws lambda remove-permission \
#    --function-name $LAMBDA_ARN \
#    --statement-id $BAD_ALEXA

aws lambda add-permission \
    --function-name $LAMBDA_ARN \
    --statement-id 1 \
    --action lambda:InvokeFunction \
    --principal alexa-appkit.amazon.com \
    --event-source-token $GOOD_ALEXA

UPDATE: This may potentially be resolved by the eventual completion of PR #363 for SAM

Note: You don't need to include the remove-permission aws-cli code above if you chooses to simply exclude the following from the template.yaml, since it doesn't assist in any way that I aware of [as of 01/11/19]:

Events:
    AlexaSkillEvent:
        Type: AlexaSkill

Just retrieve the Lambda arn (I have it as an OutputValue for the generated CFN stack), and use add-permission to update the function. Unfortunately, this is the only workaround I know of, until sam-cli addresses it.

Links:

• Opened sam-cli Issue (please comment in the discussion, or thumb up my comment in the issue thread to show you need this too!)
• Documentation Around Configuring Alexa Skills Kit trigger

Further research and testing shows that the following works in the template.yaml with sam-cli, without needing to resort to post-configuration modification via aws-cli:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Alexa App Hello World Lambda Endpoint

Mappings:
    Variables:
        AlexaSkillKit:
            Id: amzn1.ask.skill.xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Globals:
    Function:
        Timeout: 3

Resources:

    HelloWorldFunction:
        Type: AWS::Serverless::Function
        Properties:
            CodeUri: hello_world/
            Handler: app.lambda_handler
            Runtime: python3.6

    HelloWorldFunctionAskPermission:
        Type: AWS::Lambda::Permission
        DependsOn: HelloWorldFunction
        Properties:
            Action: lambda:InvokeFunction
            EventSourceToken: !FindInMap
                - Variables
                - AlexaSkillKit
                - Id
            FunctionName: !GetAtt HelloWorldFunction.Arn
            Principal: alexa-appkit.amazon.com

Outputs:

    HelloWorldFunction:
        Description: "Alexa Hello World Lambda Function ARN"
        Value: !GetAtt HelloWorldFunction.Arn

    HelloWorldFunctionIamRole:
        Description: "Implicit IAM Role created for Alexa Hello World function"
        Value: !GetAtt HelloWorldFunctionRole.Arn

    HelloWorldFunctionAlexaSkillKitId:
        Description: "Alexa Skill Permitted Lambda Invokation Permissions"
        Value: !FindInMap
            - Variables
            - AlexaSkillKit
            - Id