Tutorial: Using an Amazon S3 trigger to create thumbnail images
In this tutorial, you create a Lambda function and configure a trigger for Amazon Simple Storage Service (Amazon S3). Amazon S3 invokes the
CreateThumbnail
function for each image file that is uploaded to an S3 bucket. The function reads the
image object from the source S3 bucket and creates a thumbnail image to save in a target S3 bucket.
This tutorial requires a moderate level of AWS and Lambda domain knowledge, Docker operations, and AWS SAM. We recommend that you first try Tutorial: Using an Amazon S3 trigger to invoke a Lambda function.
In this tutorial, you use the AWS Command Line Interface (AWS CLI) to create the following AWS resources:
Lambda resources
-
A Lambda function. You can choose Node.js, Python, or Java for the function code.
-
A .zip file archive deployment package for the function.
-
An access policy that grants Amazon S3 permission to invoke the function.
AWS Identity and Access Management (IAM) resources
-
An execution role with an associated permissions policy to grant permissions that your function needs.
Amazon S3 resources
-
A source S3 bucket with a notification configuration that invokes the function.
-
A target S3 bucket where the function saves the resized images.
Topics
- Prerequisites
- Step 1. Create S3 buckets and upload a sample object
- Step 2. Create the IAM policy
- Step 3. Create the execution role
- Step 4. Create the function code
- Step 5. Create the deployment package
- Step 6. Create the Lambda function
- Step 7. Test the Lambda function
- Step 8. Configure Amazon S3 to publish events
- Step 9. Test using the S3 trigger
- Step 10. Clean up your resources
Prerequisites
-
AWS account
To use Lambda and other AWS services, you need an AWS account. If you do not have an account, visit aws.amazon.com
and choose Create an AWS Account. For instructions, see How do I create and activate a new AWS account? -
Command line
To complete the following steps, you need a command line terminal or shell to run commands. Commands and the expected output are listed in separate blocks:
aws --version
You should see the following output:
aws-cli/2.0.57 Python/3.7.4 Darwin/19.6.0 exe/x86_64
For long commands, an escape character (
\
) is used to split a command over multiple lines.On Linux and macOS, use your preferred shell and package manager. On Windows 10, you can install the Windows Subsystem for Linux
to get a Windows-integrated version of Ubuntu and Bash. -
AWS CLI
In this tutorial, you use AWS CLI commands to create and invoke the Lambda function. Install the AWS CLI and configure it with your AWS credentials.
-
Language tools
Install the language support tools and a package manager for the language that you want to use: Node.js, Python, or Java. For suggested tools, see Code authoring tools.
Step 1. Create S3 buckets and upload a sample object
Follow these steps to create S3 buckets and upload an object.
-
Open the Amazon S3 console
. -
Create two S3 buckets. The target bucket must be named
, wheresource
-resizedsource
is the name of the source bucket. For example, a source bucket namedmybucket
and a target bucket namedmybucket-resized
. -
In the source bucket, upload a .jpg object, for example,
HappyFace.jpg
.You must create this sample object before you test your Lambda function. When you test the function manually using the Lambda invoke command, you pass sample event data to the function that specifies the source bucket name and
HappyFace.jpg
as the newly created object.
Step 2. Create the IAM policy
Create an IAM policy that defines the permissions for the Lambda function. The function must have permissions to:
Get the object from the source S3 bucket.
Put the resized object into the target S3 bucket.
Write logs to Amazon CloudWatch Logs.
To create an IAM policy
-
Open the Policies page
in the IAM console. -
Choose Create policy.
-
Choose the JSON tab, and then paste the following policy. Be sure to replace
mybucket
with the name of the source bucket that you created previously.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::
mybucket
/*" }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::mybucket
-resized/*" } ] } -
Choose Next: Tags.
-
Choose Next: Review.
-
Under Review policy, for Name, enter
AWSLambdaS3Policy
. -
Choose Create policy.
Step 3. Create the execution role
Create the execution role that gives your Lambda function permission to access AWS resources.
To create an execution role
-
Open the Roles page
in the IAM console. -
Choose Create role.
-
Create a role with the following properties:
-
Trusted entity – Lambda
-
Permissions policy – AWSLambdaS3Policy
-
Role name –
lambda-s3-role
-
Step 4. Create the function code
In the following code examples, the Amazon S3 event contains the source S3 bucket name and the object key name. If the object is a .jpg or a .png image file, it reads the image from the source bucket, generates a thumbnail image, and then saves the thumbnail to the target S3 bucket.
Note the following:
-
The code assumes that the target bucket exists and that its name is a concatenation of the source bucket name and
-resized
. -
For each thumbnail file created, the Lambda function code derives the object key name as a concatenation of
resized-
and the source object key name. For example, if the source object key name issample.jpg
, the code creates a thumbnail object that has the keyresized-sample.jpg
.
Step 5. Create the deployment package
The deployment package is a .zip file archive containing your Lambda function code and its dependencies.
Step 6. Create the Lambda function
To create the function
-
Create a Lambda function with the create-function command.
For the role parameter, replace 123456789012
with your AWS account ID. The preceding example command specifies
a 10-second timeout value as the function configuration. Depending on the size of objects that you upload, you
might need to increase the timeout value using the following AWS CLI command:
aws lambda update-function-configuration --function-name CreateThumbnail --timeout
30
Step 7. Test the Lambda function
Invoke the Lambda function manually using sample Amazon S3 event data.
To test the Lambda function
-
Save the following Amazon S3 sample event data in a file named
inputFile.txt
. Be sure to replacesourcebucket
andHappyFace.jpg
with your source S3 bucket name and a .jpg object key, respectively.{ "Records":[ { "eventVersion":"2.0", "eventSource":"aws:s3", "awsRegion":"us-west-2", "eventTime":"1970-01-01T00:00:00.000Z", "eventName":"ObjectCreated:Put", "userIdentity":{ "principalId":"AIDAJDPLRKLG7UEXAMPLE" }, "requestParameters":{ "sourceIPAddress":"127.0.0.1" }, "responseElements":{ "x-amz-request-id":"C3D13FE58DE4C810", "x-amz-id-2":"FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD" }, "s3":{ "s3SchemaVersion":"1.0", "configurationId":"testConfigRule", "bucket":{ "name":"
sourcebucket
", "ownerIdentity":{ "principalId":"A3NL1KOZZKExample" }, "arn":"arn:aws:s3:::sourcebucket
" }, "object":{ "key":"HappyFace.jpg
", "size":1024, "eTag":"d41d8cd98f00b204e9800998ecf8427e", "versionId":"096fKKXTRTtl3on89fVO.nfljtsv6qko" } } } ] } -
Invoke the function with the following invoke command. Note that the command requests asynchronous execution (
--invocation-type Event
). Optionally, you can invoke the function synchronously by specifyingRequestResponse
as theinvocation-type
parameter value.aws lambda invoke --function-name CreateThumbnail \ --invocation-type Event \ --payload file://inputFile.txt outputfile.txt
The cli-binary-format option is required if you are using AWS CLI version 2. You can also configure this option in your AWS CLI config file.
-
Verify that the thumbnail is created in the target S3 bucket.
Step 8. Configure Amazon S3 to publish events
Complete the configuration so that Amazon S3 can publish object-created events to Lambda and invoke your Lambda function. In this step, you do the following:
-
Add permissions to the function access policy to allow Amazon S3 to invoke the function.
-
Add a notification configuration to your source S3 bucket. In the notification configuration, you provide the following:
-
The event type for which you want Amazon S3 to publish events. For this tutorial, specify the
s3:ObjectCreated:*
event type so that Amazon S3 publishes events when objects are created. -
The function to invoke.
-
To add permissions to the function policy
-
Run the following add-permission command to grant Amazon S3 service principal (
s3.amazonaws.com
) permissions to perform thelambda:InvokeFunction
action. Note that Amazon S3 is granted permission to invoke the function only if the following conditions are met:-
An object-created event is detected on a specific S3 bucket.
-
The S3 bucket is owned by your AWS account. If you delete a bucket, it is possible for another AWS account to create a bucket with the same Amazon Resource Name (ARN).
aws lambda add-permission --function-name CreateThumbnail --principal s3.amazonaws.com \ --statement-id s3invoke --action "lambda:InvokeFunction" \ --source-arn arn:aws:s3:::
sourcebucket
\ --source-accountaccount-id
-
-
Verify the function's access policy by running the get-policy command.
aws lambda get-policy --function-name CreateThumbnail
To have Amazon S3 publish object-created events to Lambda, add a notification configuration on the source S3 bucket.
This procedure configures the S3 bucket to invoke your function every time that an object is created in the bucket. Be sure to configure this option only on the source bucket. Do not have your function create objects in the source bucket, or your function could cause itself to be invoked continuously in a loop.
To configure notifications
-
Open the Amazon S3 console
. -
Choose the name of the source S3 bucket.
-
Choose the Properties tab.
-
Under Event notifications, choose Create event notification to configure a notification with the following settings:
-
Event name –
lambda-trigger
-
Event types –
All object create events
-
Destination –
Lambda function
-
Lambda function –
CreateThumbnail
-
For more information on event configuration, see Enabling and configuring event notifications using the Amazon S3 console in the Amazon Simple Storage Service User Guide.
Step 9. Test using the S3 trigger
Test the setup as follows:
-
Upload .jpg or .png objects to the source S3 bucket using the Amazon S3 console
. -
Verify for each image object that a thumbnail is created in the target S3 bucket using the
CreateThumbnail
Lambda function. -
View logs in the CloudWatch console
.
Step 10. Clean up your resources
You can now delete the resources that you created for this tutorial, unless you want to retain them. By deleting AWS resources that you're no longer using, you prevent unnecessary charges to your AWS account.
To delete the Lambda function
-
Open the Functions page
of the Lambda console. -
Select the function that you created.
-
Choose Actions, then choose Delete.
-
Choose Delete.
To delete the policy that you created
-
Open the Policies page
of the IAM console. -
Select the policy that you created (AWSLambdaS3Policy).
-
Choose Policy actions, Delete.
-
Choose Delete.
To delete the execution role
-
Open the Roles page
of the IAM console. -
Select the execution role that you created.
-
Choose Delete role.
-
Choose Yes, delete.
To delete the S3 bucket
-
Open the Amazon S3 console.
-
Select the bucket you created.
-
Choose Delete.
-
Enter the name of the bucket in the text box.
-
Choose Confirm.