https://dev.classmethod.jp/articles/s3-object-lambda/
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 クライアントEC2(Amazon Linux2)にPython3.8をインストール
amazon-linux-extras list | grep python
sudo amazon-linux-extras install -y python3.8
python3.8 -V
-- 1.3 jqインストール
sudo yum -y install jq
-- 2. S3 バケットを作成する
aws s3 mb s3://bucket123
aws s3 ls
-- 3. バケットにオブジェクトをアップロードする
echo test01 > test01.txt
aws s3 cp test01.txt s3://bucket123
aws s3 ls s3://bucket123 --recursive
-- 4. Lambda Layer 作成
mkdir python
pip3.8 install -t ./python boto3
zip -r boto3.zip python
aws lambda list-layers
aws lambda publish-layer-version \
--layer-name ll01 \
--description ll01 \
--compatible-architectures "x86_64" \
--compatible-runtimes python3.6 python3.7 python3.8 \
--zip-file fileb://boto3.zip
-- 5. Lambda用IAMロール作成
vim role01.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
-- 6. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy \
--role-name role01
-- 7. Lambda関数作成
vim test.py
import boto3
def lambda_handler(event, context):
s3_client = boto3.client('s3')
get_context = event["getObjectContext"]
route = get_context["outputRoute"]
token = get_context["outputToken"]
s3_url = get_context["inputS3Url"]
s3_client.write_get_object_response(
RequestRoute=route,
RequestToken=token,
StatusCode=403,
ErrorCode="ErrorCodeFromOLAP",
ErrorMessage="ErrorMessage from OLAP"
)
return { 'status_code': 200 }
chmod 755 test.py
zip test.zip test.py
aws lambda create-function \
--region ap-northeast-1 \
--function-name test \
--zip-file fileb://test.zip \
--role arn:aws:iam::999999999999:role/role01 \
--handler test.lambda_handler \
--runtime python3.8 \
--timeout 60 \
--layers arn:aws:lambda:ap-northeast-1:999999999999:layer:ll01:4
aws lambda list-functions
aws lambda list-functions | jq -c '.Functions | [ .FunctionName ]'
aws lambda get-function --function-name test
-- 8. S3アクセスポイント作成
aws s3control list-access-points --account-id 999999999999
aws s3control create-access-point \
--account-id 999999999999 \
--name bucket123-ap \
--bucket bucket123
-- 9. オブジェクトLambdaアクセスポイント作成
aws s3control list-access-points-for-object-lambda --account-id 999999999999
vi a.json
{
"SupportingAccessPoint": "arn:aws:s3:ap-northeast-1:999999999999:accesspoint/bucket123-ap",
"CloudWatchMetricsEnabled": false,
"AllowedFeatures": ,
"TransformationConfigurations": [
{
"Actions": [
"GetObject"
],
"ContentTransformation": {
"AwsLambda": {
"FunctionArn": "arn:aws:lambda:ap-northeast-1:999999999999:function:test",
"FunctionPayload": ""
}
}
}
]
}
aws s3control create-access-point-for-object-lambda \
--account-id 999999999999 \
--name bucket123-olap \
--configuration file://a.json
aws s3control get-access-point-configuration-for-object-lambda \
--account-id 999999999999 \
--name bucket123-olap
-- 10. 動作確認
-- 10.1 オブジェクト Lambda アクセスポイントからアクセスした場合
aws s3api get-object \
--bucket arn:aws:s3-object-lambda:ap-northeast-1:999999999999:accesspoint/bucket123-olap \
--key test01.txt \
test01_olap.txt
→エラーメッセージにLamdaで指定した文字が含まれる
-- 10.2 アクセスポイントからアクセスした場合
aws s3api get-object \
--bucket arn:aws:s3:ap-northeast-1:999999999999:accesspoint/bucket123-ap \
--key test01.txt \
test01_ap.txt
→アクセス可能
-- 10.3 直接バケットにアクセスした場合
aws s3api get-object \
--bucket bucket123 \
--key test01.txt \
test01_direct.txt
→アクセス可能
-- 11. クリーンアップ
-- Object Lambda アクセスポイントの削除
aws s3control list-access-points-for-object-lambda --account-id 999999999999
aws s3control delete-access-point-for-object-lambda \
--account-id 999999999999 \
--name bucket123-olap
-- S3 アクセスポイントの削除
aws s3control list-access-points --account-id 999999999999
aws s3control delete-access-point \
--account-id 999999999999 \
--name bucket123-ap
-- Lambda関数の削除
aws lambda list-functions | jq -c '.Functions[] | [ .FunctionName ]'
aws lambda delete-function --function-name test
-- ロールの削除
aws iam list-roles | grep role01
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy
aws iam delete-role --role-name role01
-- Lambda Layerの削除
aws lambda list-layers
aws lambda delete-layer-version \
--layer-name ll01 \
--version-number 4
aws s3 rb s3://bucket123 --force