i have a month developing alexa skills and want to create then via Cloudformation. And for that i am using this:
Lambda function
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function from Cloud Formation by Felix Vazquez",
"Resources": {
"Lambda1": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "felix-lambda-code",
"S3Key": "hello_lambda.zip"
},
"Description": "Test with Cloud Formation",
"FunctionName": "Felix-hello-world1234",
"Handler": "lambda_function.lambda_handler",
"Role": "arn:aws:iam::776831754616:role/testRol",
"Runtime": "python2.7"
}
}
}
}
Alexa Skill
"Resources": {
"23LT3": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"AuthenticationConfiguration": {
"ClientId": "+my client ID+",
"ClientSecret": "+my client Secret+",
"RefreshToken": "+The token i generate via lwa+"
},
"VendorId": "+my vendor ID+",
"SkillPackage": {
"S3Bucket": "myskillpackagebucket",
"S3Key": "my_function10.zip",
"S3BucketRole": {
"Fn::GetAtt": [
"IAMRU6TJ",
"Arn"
]
},
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": {
"Fn::GetAtt": [
"Lambda1",
"Arn"
]
}}}}}}}}
IAM Role
{
"Resources": {
"IAMRU6TJ": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]}}]}}}}
The skill depends on the lambda and the IAM Role. When i "Create the Stack" after some seconds it gives me this error:
Could not assume the provided role. Reason: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b2e8762c-2593-11e9-b3ec-872599411915)
For the Token i use
ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”
image of the events:
your Alexa::ASK::Skill Resource: 23LT3['Properties']['SkillPackage']['S3BucketRole']
The docs say ARN of the role that grants the Alexa service permission to access the bucket and retrieve the skill package. This role is optional, and if not provided the bucket must be configured with a policy allowing this access, or be publicly accessible, in order for AWS CloudFormation to create the skill.
currently your role is allowing s3.amazonaws.com and lambda.amazonaws.com to Assume a role that can do anything in your AWS account, however you need to allow "The Alexa Service the permission..."
Best Practice would be to use least privilege necessary, but I get it if you are just testing it out.
