AWS Lambda
Developer Guide

Building a Pipeline for Your Serverless Application

In the following tutorial, you create an AWS CodePipeline that automates the deployment of your serverless application. First, you need to set up a source stage to trigger your pipeline. For the purposes of this tutorial:

  • We're using GitHub. For instructions on how to create a GitHub repository, see Create a Repository in GitHub.

  • You need to create an AWS CloudFormation role and add the AWSLambdaExecute policy to that role, as outlined in the following steps:

    1. Sign in to the AWS Management Console and open the IAM console at

    2. Follow the steps in Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide to create an IAM role (execution role). Then go to the To create a role for an AWS service section. As you follow the steps to create a role, note the following:

      • In Select Role Type, choose AWS Service Roles, and then choose CloudFormation. Choose Next: Permissions.

      • In Attach permissions policies, use the search bar to find and then choose AWSLambdaExecute. Choose Next: Review.

      • In Role Name, use a name that's unique within your AWS account (for example, cloudformation-lambda-execution-role), and then choose Create role.

      • Open the role you just created. Under the Permissions tab, choose Add inline policy.

      • In Create Policy, choose the JSON tab and enter the following:


        Make sure to replace the region and id placeholders with your Region and account ID.

        { "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketVersioning" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::codepipeline*" ], "Effect": "Allow" }, { "Action": [ "lambda:*" ], "Resource": [ "arn:aws:lambda:region:id:function:*" ], "Effect": "Allow" }, { "Action": [ "apigateway:*" ], "Resource": [ "arn:aws:apigateway:region::*" ], "Effect": "Allow" }, { "Action": [ "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:PutRolePolicy" ], "Resource": [ "arn:aws:iam::id:role/*" ], "Effect": "Allow" }, { "Action": [ "iam:AttachRolePolicy", "iam:DeleteRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::id:role/*" ], "Effect": "Allow" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:CreateChangeSet" ], "Resource": [ "arn:aws:cloudformation:region:aws:transform/Serverless-2016-10-31" ], "Effect": "Allow" }, { "Action": [ "codedeploy:CreateApplication", "codedeploy:DeleteApplication", "codedeploy:RegisterApplicationRevision" ], "Resource": [ "arn:aws:codedeploy:region:id:application:*" ], "Effect": "Allow" }, { "Action": [ "codedeploy:CreateDeploymentGroup", "codedeploy:CreateDeployment", "codedeploy:GetDeployment" ], "Resource": [ "arn:aws:codedeploy:region:id:deploymentgroup:*" ], "Effect": "Allow" }, { "Action": [ "codedeploy:GetDeploymentConfig" ], "Resource": [ "arn:aws:codedeploy:region:id:deploymentconfig:*" ], "Effect": "Allow" } ], "Version": "2012-10-17" }
      • Choose Validate Policy and then choose Apply Policy.

Step 1: Set Up Your Repository

You can use any of the Lambda supported runtimes when you set up a repository. The following example uses Node.js.

To set up your repository, do the following:

  • Add an index.js file that contains the following code:

    var time = require('time'); exports.handler = (event, context, callback) => { var currentTime = new time.Date(); currentTime.setTimezone("America/Los_Angeles"); callback(null, { statusCode: '200', body: 'The time in Los Angeles is: ' + currentTime.toString(), }); };
  • Add a samTemplate.yaml file that contains the following content. This is for the AWS SAM template that defines the resources in your application. This AWS SAM template defines a Lambda function that's triggered by API Gateway. Note that the runtime parameter uses nodejs6.10, but you can also specify nodejs8.10. For more information about AWS SAM, see AWS Serverless Application Model.

    AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Outputs the time Resources: TimeFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: nodejs6.10 CodeUri: ./ Events: MyTimeApi: Type: Api Properties: Path: /TimeResource Method: GET
  • Add a buildspec.yml file. A build spec is a collection of build commands and related settings, in YAML format, that AWS CodeBuild uses to run a build. For more information, see Build Specification Reference for AWS CodeBuild. In this example, the build action is the following:

    • Use npm to install the time package.

    • Run the Package command to prepare your deployment package for subsequent deployment steps in your pipeline. For more information on the package command, see Uploading Local Artifacts to an S3 Bucket.

      version: 0.2 phases: install: commands: - npm install time - aws cloudformation package --template-file samTemplate.yaml --kms-key-id kms-key-id --s3-bucket bucket-name --output-template-file outputSamTemplate.yaml artifacts: type: zip files: - samTemplate.yaml - outputSamTemplate.yaml

Step 2: Create Your Pipeline

Follow these steps to create your AWS CodePipeline.

  1. Sign in to the AWS Management Console and open the AWS CodePipeline console.

  2. Choose Get Started Now.

  3. In Pipeline name, enter a name for your pipeline, and then choose Next step.

  4. In Source provider, choose GitHub.

  5. Choose Connect to GitHub, and then choose the Repository and Branch that you want to connect to. Every git push to the branch you select triggers your pipeline. Choose Next step.

  6. Choose AWS CodeBuild as your Build provider.

  7. Choose Create a new build project and enter a project name.

  8. Choose Ubuntu as the operating system.

  9. Choose Node.js as the runtime.

  10. In Version, choose aws/codebuild/nodejs:version.

  11. In Build specification, choose Use the buildspec.yml in the source code root directory.

  12. Choose Save build project.


    A service role for AWS CodeBuild is automatically created on your behalf.

    Choose Next step.

  13. In Deployment provider, choose AWS CloudFormation.

    When you choose this option, AWS CloudFormation commands are used to deploy the AWS SAM template. For more information, see AWS SAM Template Basics in the AWS Serverless Application Model Developer Guide.

  14. In Action mode, choose Create or replace a change set.

  15. In Stack name, enter MyBetaStack.

  16. In Change set name, enter MyChangeSet.

  17. In Template file, enter outputSamTemplate.yaml.

  18. In Capabilities, choose CAPABILITY_IAM.

  19. In Role, select the AWS CloudFormation role that you created at the beginning of this tutorial and then choose Next step.

  20. Choose Create role, choose Next, choose Allow, and then choose Next step.

  21. Review your pipeline and then choose Create pipeline.

Step 3: Update the Generated Service Policy

Complete the following steps to allow AWS CodeBuild to upload build artifacts to your Amazon S3 bucket.

  1. Go to the IAM console.

  2. Choose Roles.

  3. Open the service role that was generated for your project—typically code-build-project-name-service-role.

  4. Under the Permissions tab, choose Add inline policy.

  5. In service, choose Choose a service.

  6. In Select a service below, choose S3.

  7. In Actions, choose Select actions.

  8. Expand Write under Access level groups, and then choose PutObject.

  9. Choose Resources, and then select the Any check box.

  10. Choose Review policy.

  11. Enter a Name, and then choose Create policy. Then return to the pipeline you created in the previous section.

Step 4: Complete Your Beta Deployment Stage

Use the following steps to complete your beta stage.

  1. Choose Edit.

  2. Choose the + icon next to MyBetaStack.

  3. In Action category, if it's not already selected, choose Deploy.

  4. In Deployment provider, if it's not already selected, choose AWS CloudFormation.

  5. In Action mode, choose Execute a change set. CreateChangeSet transforms the AWS SAM template to the full AWS CloudFormation format, and deployChangeSet deploys the AWS CloudFormation template.

  6. In Stack name, enter or choose MyBetaStack.

  7. In Change set name, enter MyChangeSet.

  8. Choose Add action.

  9. Choose Save pipeline changes.

  10. Choose Save and continue.

Your pipeline is ready. Any git push to the branch that you connected to this pipeline is going to trigger a deployment. To test your pipeline and deploy your application for the first time, do one of the following:

  • Perform a git push to the branch that's connected to your pipeline.

  • Go the AWS CodePipeline console, choose the name of the pipeline you created, and then choose Release change.