Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Personal AWS resources in Alexa Hosted Skills
How do I set up an Alexa-hosted skill to use resources on a personal AWS account?
With the AWS Lambda execution role ARN, you can seamlessly use resources on a personal AWS account to expand the functionality of your Alexa-hosted skill. For example, you can connect the Alexa-hosted skill to an Amazon DynamoDB table. Take the following steps to set up your Alexa-hosted skill to use resources on a personal AWS account:
In the Alexa developer console, open your Alexa-hosted skill, and then in the code editor click the icon that has hover text AWS Lambda Role Execution ARN. Copy the ARN.
If you have not done so already, on your personal AWS account, in the Identity and Access Management (IAM) dashboard, create a role that allows access to the resource that you want your Alexa-hosted skill to access.
In the IAM dashboard, click Roles, click the name of the role you want to edit, and then click the Trust relationships tab.
Edit the trust relationship to include the sts:AssumeRole action, and specify the AWS Lambda Role Execution ARN from your Alexa-hosted skill, as shown in the following example.
"Version": "2012-10-17",
"Statement": [
... Your existing trust relationships ...,
"Effect": "Allow",
"Principal": {
"AWS": "<Replace with AWS Lambda Execution Role ARN from Alexa-hosted skill>"
"Action": "sts:AssumeRole"
In the code for your Alexa-hosted skill, assume the role using the AWS Security Token Service (STS) API. For example, the following code requests temporary credentials of a role with AWS DynamoDB access, and scans the DynamoDB table.
const ShowUserMessageHandler = {
... Your canHandle function for intent ...
async handle(handlerInput) {
// 1. Assume the AWS resource role using STS AssumeRole Action
const STS = new AWS.STS({ apiVersion: '2011-06-15' });
const credentials = await STS.assumeRole({
RoleArn: '<Your AWS resource role ARN>',
RoleSessionName: 'ExampleSkillRoleSession' // You can rename with any name
}, (err, res) => {
if (err) {
console.log('AssumeRole FAILED: ', err);
throw new Error('Error while assuming role');
return res;
// 2. Make a new DynamoDB instance with the assumed role credentials
// and scan the DynamoDB table
const dynamoDB = new AWS.DynamoDB({
apiVersion: '2012-08-10',
accessKeyId: credentials.Credentials.AccessKeyId,
secretAccessKey: credentials.Credentials.SecretAccessKey,
sessionToken: credentials.Credentials.SessionToken
const tableData = await dynamoDB.scan({ TableName: 'TestTable' }, (err, data) => {
if (err) {
console.log('Scan FAILED', err);
throw new Error('Error while scanning table');
return data;
// ... Use table data as required ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.