Amazon Web Services’ (AWS) Lambda provides a serverless architecture framework for your web applications. You deploy your application to Lambda, attach an API Gateway and then call your new service from anywhere on the web. Amazon takes care of all the tedious, boring and necessary housekeeping.
In this HOWTO I show you how to create a proxy in front of the AWS Elasticsearch service using a Lambda function and an API Gateway. We use Identity and Access Management (IAM) policies to sign and encrypt the communication between your Lambda function and the Elasticsearch service. This HOWTO serves as a simple starting point. Once you successfully jump through the hoops to connect Lambda to Elasticsearch, you can easily grow your application to accommodate new features and services.
The agenda for this HOWTO follows:
- Deploy and configure an AWS Elasticsearch endpoint
- Configure your Chalice development environment
- Create an app that proxies/ protects your Elasticsearch endpoint
- Configure an IAM policy for your Lambda function
- Use Chalice to deploy your Lambda function and create/ attach an API gateway
- Test drive your new Lambda function
1. Deploy an AWS Elasticsearch Instance
Amazon makes Elasticsearch deployment a snap. Just click the Elasticsearch Service icon on your management screen:
If you see the “Get Started” screen, click “Get Started.”
Or, if you’ve used the Elasticsearch service before and see the option for “New Domain,” click “New Domain.”
Name your domain “test-domain” (Or whatever).
Keep the defaults on the next screen “Step 2: Configure Cluster.” Just click “next.” On the next screen, select: “Allow or deny access to one or more AWS accounts or IAM users”.
Amazon makes security easy as well. On the next menu they list your ARN. Just copy and paste it into the text field and hit “next.”
AWS generates the JSON for your Elasticsearch service:
Click “Next” and then “confirm and create.”
Expect about ten (10) minutes for the service to initiate. While you wait for the service to deploy, you should set up your Chalice development environment.
2. Configure your Chalice development environment
As a convenience, I summarize the instructions from the authoritative Chalice HOWTO here.
First, create a Python virtual environment for a development
Change directories to your new sandbox and then activate the virtual environment.
Now upgrade pip.
Finally, install Chalice.
The quickstart is pretty clear about how to configure credentials. Here are their instructions verbatim…
Before you can deploy an application, be sure you have credentials configured. If you have previously configured your machine to run boto3 (the AWS SDK for Python) or the AWS CLI then you can skip this section.
If this is your first time configuring credentials for AWS you can follow these steps to quickly get started:$ mkdir ~/.aws $ cat >> ~/.aws/config [default] aws_access_key_id=YOUR_ACCESS_KEY_HERE aws_secret_access_key=YOUR_SECRET_ACCESS_KEY region=YOUR_REGION (such as us-west-2, us-west-1, etc)
If you want more information on all the supported methods for configuring credentials, see the boto3 docs.
From the chalice-demo directory, create a new Chalice project.
You have set up your development environment.
3. Create an app that proxies/ protects your Elasticsearch endpoint
At this point, your Elasticsearch endpoint should be up and running. Copy the fully qualified domain name (FQDN) for your new endpoint. You will copy this FQDN into the application below.
The following application uses the boto library to access an authorized IAM role to sign and encrypt calls to your Elasticsearch endpoint. Be sure to configure the host parameter with your Endpoint address.
Change directories to the new eslambda project. You will see two automatically created documents: app.py and requirements.txt
Overwrite app.py with the app.py code above. Then, pip install boto. Use the pip freeze | grep boto command to populate requirements.txt with the proper version of boto. requirements.txt tells Lambda which Python packages to install.
4. Configure an IAM policy for your Lambda function
Create a document called policy.json in the hidden .chalice directory and add the following JSON. This will let Lambda use the Elasticsearch service.
5. Use Chalice to deploy your Lambda function and create/ attach an API gateway
Cross your fingers, this should work. Deploy your Chalice application with the following command. Take note of the endpoint that Chalice returns.
6. Test drive your new Lambda function
Enter the URL of the service endpoint in your browser. In my case, I will go to https://keqpeva3wi.execute-api.us-east-1.amazonaws.com/dev/
Yes. For some reason the steps on the Chalice quick start does not seem to work. If you take a look at policy.json you’ll see that Chalice over-wrote it.
Chalice created a policy to allow our Lambda function to log. Let’s keep that action and add the Elasticsearch verbs. Edit .chalice/policy.json once more, this time using the enriched JSON encoded policy.
Redeploy again, this time turn off the auto policy generation.
It may take a few minutes for the new Lambda function to bake in. Be sure to hit Control+F5 to make sure you’re not hitting a cached version of your new application. Alternatively, you can pip install httpie.
From the command line, use httpie to access your new proxy.
Congratulations! Your Lambda function can hit your Elasticsearch service!