Using Beam to Send Data to AWS Lambda

Using Beam's HTTP entry points offers the following advantages

• There is no need to install credentials to access AWS Lambda functions on the device.

• On the device, you can access AWS Lambda functions simply by sending a request to the Beam entry point as follows

  curl -X POST http://beam.soracom.io:8888/lambda-with-signature-v4 \
  > -H "Content-Type: application/json" \
  > -d '{
  >     "key": "value"
  > }'

  You will receive the response as follows.

  {
      "message": "Hello from Lambda!",
      "body": {
          "key": "value"
      }
  }

• Multiple HTTP entry points can be configured in a single group setting.

This page describes the steps to create a Lambda function and security configurations that allow Beam to call the function, configure your Soracom account to enable Beam to call the functions, and run a short test to confirm that your setup is working correctly.

Step 1: Configure AWS Lambda

Create an AWS Lambda function to be called from Beam.

1. Access the AWS Lambda "Create function" navigation pane.

2. Choose the region in the navigation bar. For more information, see the AWS document: Choosing a Region

3. Click Author from scratch and set the following items

   Item	Description
   Function name	Enter a function name. Example: beam-hello-world
   Runtime	Select "Node.js xx.x".
   Architecture	Select "x86_64".

   

   Beam does not depend on the Lambda runtime. Any Lambda runtime Function can be used. We have suggested "Node.js xx.x" in this step to match the sample program provided in [5]].

4. Click Advanced settings, check Enable function URL, and make sure AWS_IAM is selected in Auth type.

   

5. Click Create function.

   The Lambda function will be created.

6. Double-click "index.mjs" in the Code source and update the program as follows.

   export const handler = async(event) => {
       const body = {
           "message": "Hello from Lambda!",
           "body": JSON.parse(event.body)
       }
   
       const response = {
           statusCode: 200,
           body: JSON.stringify(body),
       };
       return response;
   };

7. Copy the "Function ARN" and "Function URL" values shown in the Function overview.

   The "Function ARN" will henceforth be denoted ${lambda_func_arn}. Example: arn:aws:lambda:ap-northeast-1:XXXXXXXXXXXXXX:function:beam-hello-world

   The "Function URL" will henceforth be denoted ${lambda_func_url}. Example: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.lambda-url.ap-northeast-1.on.aws/

   

Step 2: Create an IAM role and assign it to Soracom's AWS account

Allow our Soracom AWS account that runs Beam to execute the function created in Step 1. Create an AWS IAM role to allow execution of the function and assign it to Soracom's AWS account.

1. Go to the IAM Management console, click on Access management > Roles > Create role.

   

2. Click AWS account > Another AWS account, and enter Soracom's AWS account ID in Account ID field.

   If you're working in Japan these use our Japanese Soracom AWS account ID, otherwise use our global account ID.

   • Global Coverage: 950858143650
   • Japan Coverage: 762707677580

   

3. Check the Require external ID checkbox and enter any string for the external ID field.

   The string entered for the external ID will henceforth be denoted ${external_id}. Example: External-ID-N4gqVwJMp7ZTVEgY

   

   For more information on external IDs, see the AWS document: How to use an external ID when granting access to your AWS resources to a third party.

4. Click Register.

   You will see the "Add permissions" navigation pane.

5. Click Create policy.

   

   In a new window or tab, you will see the "Create policy" navigation pane.

   Create a policy on the "Create Policy" navigation pane. When you completed the "Create Policy" navigation pane, come back to the "Add permissions" navigation pane where you see Create policy and continue with the creation of IAM roles. Do not close the original navigation pane.

6. Configure the policy to allow your function to be called via its URL

   Item	Description
   Service	Click on Choose a service, then click on Lambda.
   Actions	Find "InvokeFunctionUrl" in filter and check it.

   

7. Click Resources > Specific > Add ARN.

   

   You will see the "Add ARN" navigation pane.

8. Enter ${lambda_func_arn} of Lambda_function, and click Add.

   

   You will return to the "Create policy" navigation pane.

9. Click on Next: Tags > Next: Review.

10. Enter a name for the AWS IAM policy in Name field and click Create policy.

    

    An AWS IAM policy will be created and you will see the policy detail page.

11. Close the window or tab in which the policy detail page is displayed to return to the "Add permissions" navigation pane.

12. Click the reload icon then find the AWS IAM policy created in [10].

    

    You will see the AWS IAM policy that has been created.

13. Select the AWS IAM policy you created and click Next.

14. Enter the IAM role name in the Role name field and click Create role.

    

    You will return to the Roles page.

15. Click on the name of the IAM role you created. Note the ARN.

    This ARN will henceforth be denoted ${iam_role_arn}. Example: arn:aws:iam::XXXXXXXXXXXXXX:role/beam-hello-world-invoke-function-url-role

    

Step 3: Set up Soracom Beam

Configure the user console to call AWS Lambda functions from Beam when devices using the IoT SIM send data.

Register AWS IAM role credentials in the credential set

In order to invoke AWS Lambda functions from Beam, credentials related to the IAM role should be registered in the credential set in the user console. For details on how to register the credential sets, see Credential Sets.

The credential set is registered as follows

Configuring Beam's HTTP Entry Point

1. On the SIM Group page, open SORACOM Beam.

   See Group Settings for more information on configuring the SIM group.

2. Click on + Add Configuration > HTTP entry point.

   The "SORACOM Beam - HTTP configuration" pop-up will appear.

3. Set up as follows

   Item	Description
   CONFIGURATION NAME	Enter any configuration name (e.g. AWS Lambda).
   ENTRY POINT > PATH	Set the path as you like (e.g. /lambda-with-signature-v4)
   DESTINATION > PROTOCOL	Select "HTTPS"
   DESTINATION > HOST NAME	Enter ${lambda_func_url} without the leading "https://" and the trailing "/" (e.g. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.lambda-url.ap-northeast-1.on.aws).
   DESTINATION > PORT NUMBER	Leave blank.
   DESTINATION > PATH	Leave blank.
   HEADER MANIPULATIONS > AUTHORIZATION HEADER	Turn on and set as follows TYPE: select "AWS Signature V4". SERVICE: Select "AWS Lambda". REGION: Select the region for the AWS Lambda. CREDENTIALS SET ID: Select the AWS IAM role credentials registered in Register AWS IAM role credentials in the credential set.

   Multiple entry points can be set for a single group configuration. The HTTP entry point is identified by the contents of ENTRY POINT > PATH. Changing the settings per HTTP entry point allows multiple entry points to be configured for a single group setting.

   
   

   For more information on the HTTP entry point settings, see HTTP Entry Point.

4. Click Register.

5. Add the IoT SIM to the group you created. If you need help, see Basic Usage - Adding a Device to a Group.

   Beam configuration for IoT SIM is completed.

Step 4: Call the AWS Lambda function using the HTTP entry point

Call an AWS Lambda function using Beam's HTTP entry point.

Ensure the device is connected to the Soracom platform and execute the following commands.

curl -X POST http://beam.soracom.io:8888/lambda-with-signature-v4 \
>-H "Content-Type: application/json" \
>-d '{
>"key": "value"
>}'

You will see the following response from the code inside your Lambda function.

>{"message":"Hello from Lambda!","body":{"key":"value"}}

curl -X POST https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.lambda-url.ap-northeast-1.on.aws/ \
>-H "Content-Type: application/json" \
>-d '{
>"key": "value"
>}'

{"Message":"Forbidden"}