Created
August 21, 2019 18:11
-
-
Save germanviscuso/3f6f24644905d272ea3778b729bbf5e2 to your computer and use it in GitHub Desktop.
Personal AWS resources in Alexa Hosted Skills
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How do I set up an Alexa-hosted skill to use resources on a personal AWS account? | |
| With the AWS Lambda execution role ARN, you can seamlessly use resources on a personal AWS account to expand the functionality of your Alexa-hosted skill. For example, you can connect the Alexa-hosted skill to an Amazon DynamoDB table. Take the following steps to set up your Alexa-hosted skill to use resources on a personal AWS account: | |
| In the Alexa developer console, open your Alexa-hosted skill, and then in the code editor click the icon that has hover text AWS Lambda Role Execution ARN. Copy the ARN. | |
| If you have not done so already, on your personal AWS account, in the Identity and Access Management (IAM) dashboard, create a role that allows access to the resource that you want your Alexa-hosted skill to access. | |
| In the IAM dashboard, click Roles, click the name of the role you want to edit, and then click the Trust relationships tab. | |
| Edit the trust relationship to include the sts:AssumeRole action, and specify the AWS Lambda Role Execution ARN from your Alexa-hosted skill, as shown in the following example. | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| ... Your existing trust relationships ..., | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "<Replace with AWS Lambda Execution Role ARN from Alexa-hosted skill>" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| In the code for your Alexa-hosted skill, assume the role using the AWS Security Token Service (STS) API. For example, the following code requests temporary credentials of a role with AWS DynamoDB access, and scans the DynamoDB table. | |
| const ShowUserMessageHandler = { | |
| ... Your canHandle function for intent ... | |
| async handle(handlerInput) { | |
| // 1. Assume the AWS resource role using STS AssumeRole Action | |
| const STS = new AWS.STS({ apiVersion: '2011-06-15' }); | |
| const credentials = await STS.assumeRole({ | |
| RoleArn: '<Your AWS resource role ARN>', | |
| RoleSessionName: 'ExampleSkillRoleSession' // You can rename with any name | |
| }, (err, res) => { | |
| if (err) { | |
| console.log('AssumeRole FAILED: ', err); | |
| throw new Error('Error while assuming role'); | |
| } | |
| return res; | |
| }).promise(); | |
| // 2. Make a new DynamoDB instance with the assumed role credentials | |
| // and scan the DynamoDB table | |
| const dynamoDB = new AWS.DynamoDB({ | |
| apiVersion: '2012-08-10', | |
| accessKeyId: credentials.Credentials.AccessKeyId, | |
| secretAccessKey: credentials.Credentials.SecretAccessKey, | |
| sessionToken: credentials.Credentials.SessionToken | |
| }); | |
| const tableData = await dynamoDB.scan({ TableName: 'TestTable' }, (err, data) => { | |
| if (err) { | |
| console.log('Scan FAILED', err); | |
| throw new Error('Error while scanning table'); | |
| } | |
| return data; | |
| }).promise(); | |
| // ... Use table data as required ... | |
| } | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment