Deploy UsersListHandler Lambda function

Now we will deploy another Lambda function - the UsersListHanlder.

Table of Content

Add function code for Lambda function

  • Copy the source code of our lambda functions from this link, and extract to root of your CDK app repo.

    Your repo should looks like this:

    alt text

Add CDK code for Lambda function

  • In the CDK stack file (cdk-workshop-stack.ts), inside the constructor and below the code for HelloHandler, add the following code:

    const usersList = new Function(this, "UsersListHandler", {
  runtime: Runtime.PYTHON_3_13,
  code: Code.fromAsset("lambda/users/list"),
  handler: "lambda_function.lambda_handler",
});

    The code should looks like this:

    alt text

[Optional] Run cdk diff to check the difference of your CDK stack

  • Run cdk diff to see the different between your local stack and the deployed stack.

    alt text

Run cdk deploy to deploy your CDK stack with the Lambda function

  • Run cdk deploy to deploy the local stack into your AWS account.

    alt text

  • Type in y and press Enter to confirm.

  • You should see something like this:

    alt text

Verify Lambda function is deploy and test it

  • Go to CloudFormation Console, check CdkWorkshopStack, in the Resources tab, you will see your UsersListHandler.

  • Click on the Physical Id of UsersListHandlerXXXXXXX resource to go to the detail of your UsersListHandler Lambda function.

    alt text

  • Open the Test tab, click Test to invoke your Lambda function.

    alt text

  • Click Details to see the detail of the executing.

    Although the function executes succeeded, the status is 500.

    The full response is:

    {
  "statusCode": 500,
  "headers": {
    "Content-Type": "application/json",
    "Access-Control-Allow-Origin": "*"
  },
  "body": "{\"error\": \"An error occurred (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts::924932512913:assumed-role/CdkWorkshopStack-UsersListHandlerServiceRole364F720-3mtpfexadETu/CdkWorkshopStack-UsersListHandler873A31F9-rzGpbFUQ6Ma1 is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:ap-southeast-1:924932512913:table/UsersTable because no identity-based policy allows the dynamodb:Scan action\"}"
}

    Let’s look at the error in body:

    • An error occurred (AccessDeniedException) when calling the Scan operation:
    • User: arn:aws:sts::924932512913:assumed-role/CdkWorkshopStack-UsersListHandlerServiceRole364F720-3mtpfexadETu/CdkWorkshopStack-UsersListHandler873A31F9-rzGpbFUQ6Ma1
    • is not authorized to perform: dynamodb:Scan
    • on resource: arn:aws:dynamodb:ap-southeast-1:924932512913:table/UsersTable
    • because no identity-based policy allows the dynamodb:Scan action

According to the error, the Lambda function doesn’t have permissions to interact with the DynamoDB table. But in fact, it’s because we doesn’t have a DynamoDB table.

In the next step, we will use CDK to deploy a DynamoDB table.