Running the AWS CLI Commands in an AWS Lambda Function

Figure showing icons of a Lambda function and a generic CLI tool.

Last updated: June 14, 2019

The AWS Command Line Interface (CLI) is not pre-installed in the AWS Lambda execution environment.

Compared to the AWS SDK, the AWS CLI simplifies the usage of some AWS services. Depending on your use case, you may want to use the AWS CLI in your Lambda function.

This blog post describes how to include the AWS CLI into the deployment package of your Lambda function and how to run the AWS CLI commands from this Lambda function.

How to Include the AWS CLI into the Deployment Package of a Lambda Function

  • This procedure applies to all AWS Lambda runtimes except the Node.js 10.x runtime.
    The Node.js 10.x runtime runs on Amazon Linux release 2 (Karoo) and does not have Python pre-installed.

The AWS CLI requires Python 2.6.5 or higher.

Python 3.6 is pre-installed in Python 3.6 runtime.
Python 3.7 is pre-installed in Python 3.7 runtime.
Python 2.7 is pre-installed in the AWS Lambda execution environment in all runtimes except the Node.js 10.x runtime. That means you can run the AWS CLI commands from your Lambda function authored in any runtime except the Node.js 10.x runtime. All you need is to include the AWS CLI into the deployment package of this Lambda function.

For additional information about the AWS Lambda supported runtimes, see Exploring the AWS Lambda Execution Environment.

In the following procedure, you create an isolated Python environment using virtualenv tool. Then, you install the AWS CLI in this environment, and, finally, include all necessary libraries and dependencies from the virtual environment into the deployment package of your Lambda function.

  1. Ensure that the latest version of virtualenv tool is installed on your system.
  2. Create a new isolated Python environment in your current working directory.
    • If your Lambda function is authored in Python 3.6 or Python 3.7, execute the following command:
      virtualenv --python=python3 virtualenv-awscli
      
    • If your Lambda function is not authored in Python 3.6 or Python 3.7, then Python 2.7 will be available in the AWS Lambda execution environment of this Lambda function. In this case, execute the following command:
      virtualenv --python=python2.7 virtualenv-awscli
      
      A new directory tree is created.
  3. Activate the virtual environment.
    source virtualenv-awscli/bin/activate
    
    The name of the activated virtual environment (virtualenv-awscli) appears on the left side of the command prompt.
  4. Install the AWS CLI and its dependencies in the Python virtual environment.
    pip install awscli
    
  5. Adjust the first (shebang) line of aws script located in the bin directory of your virtual environment to use the system-wide Python interpreter. Then, add the adjusted script to the deployment package ~/lambda.zip of your Lambda function.
    cd $VIRTUAL_ENV/bin
    sed -i '1 s/^.*$/#!\/usr\/bin\/env python/' aws
    zip ~/lambda.zip aws
    
  6. Add the contents of lib and lib64 site-packages and dist-packages directories to the deployment package of your Lambda function.
    for d in 'lib' 'lib64'; do
        for p in 'site-packages' 'dist-packages'; do
            cd $VIRTUAL_ENV/$d/python*/$p 2>/dev/null && zip -r -g ~/lambda.zip .;
        done;
    done 
    
  7. Deactivate the Python virtual environment.
    deactivate
    
  8. Add your code and other dependencies to the deployment package ~/lambda.zip of your Lambda function.
  9. In the IAM role of your Lambda function, grant permissions for the actions that you want to perform using the AWS CLI.

Appendix A, How to Run the AWS CLI Commands in a Lambda Function (Python)

The following code snippet shows how, for example, you can get your AWS Account ID in your Lambda function using the AWS CLI. To use this code snippet, you must include the AWS CLI into the deployment package of your Lambda function.

# CloudBriefly.com

from __future__ import print_function
import subprocess

def lambda_handler(event, context):
    print(subprocess.check_output(
        '/var/task/aws sts get-caller-identity --output text --query Account',
        stderr=subprocess.STDOUT,
        shell=True))