Tutorial: Using AWS Lambda with Amazon S3
Suppose you want to create a thumbnail for each image (.jpg and .png objects) that is uploaded to a
bucket. You can create a Lambda function (
CreateThumbnail) that Amazon S3 can
invoke when objects are created. Then, the Lambda function can read the image
object from the
source bucket and create a thumbnail
image target bucket (in this tutorial, it's called the
You must use two buckets. If you use the same bucket as the source and the target, each thumbnail uploaded to the source bucket triggers another object-created event, which then invokes the Lambda function again, creating an unwanted recursion.
The following diagram illustrates the application flow:
A user uploads an object to the source bucket in Amazon S3 (object-created event).
Amazon S3 detects the object-created event.
Amazon S3 publishes the
s3:ObjectCreated:*event to AWS Lambda by invoking the Lambda function and passing event data as a function parameter.
AWS Lambda executes the Lambda function by assuming the execution role that you specified at the time you created the Lambda function.
From the event data it receives, the Lambda function knows the source bucket name and object key name. The Lambda function reads the object and creates a thumbnail using graphics libraries, and saves it to the target bucket.
Note that upon completing this tutorial, you will have the following Amazon S3, Lambda, and IAM resources in your account:
A Lambda function.
An access permissions policy associated with your Lambda function – You grant Amazon S3 permissions to invoke the Lambda function using this permissions policy. You will also restrict the permissions so that Amazon S3 can invoke the Lambda function only for object-created events from a specific bucket that is owned by a specific AWS account.
It is possible for an AWS account to delete a bucket and some other AWS account to later create a bucket with the same name. The additional conditions ensure that Amazon S3 can invoke the Lambda function only if Amazon S3 detects object-created events from a specific bucket owned by a specific AWS account.
For more information, see How It Works.
Administrator user – Called adminuser. Using root credentials of an AWS account is not recommended. Instead, use the adminuser credentials to perform the steps in this tutorial.
An IAM role (execution role) – You grant permissions that your Lambda function needs through the permissions policy associated with this role.
In Amazon S3:
Two buckets named
. Note that
sourceis a placeholder name and you need to replace it with your actual bucket name. For example, if you have a bucket named
exampleas your source, you will create
exampleresizedas the target bucket.
Notification configuration on the source bucket – You add notification configuration on your source bucket identifying the type of events (object-created events) you want Amazon S3 to publish to AWS Lambda and the Lambda function to invoke. For more information about the Amazon S3 notification feature, see Setting Up Notification of Bucket Events in Amazon Simple Storage Service Developer Guide..
Now you are ready to start the tutorial. Note that after the initial preparation, the tutorial is divided into two main sections:
First, you complete the necessary setup steps to create a Lambda function and invoke it manually using Amazon S3 sample event data. This intermediate testing verifies that the function works.
Second, you add notification configuration to your source bucket so that Amazon S3 can invoke your Lambda function when it detects object-created events.