New serverless pattern - lambda-durable-bedrock-cdk#3053
New serverless pattern - lambda-durable-bedrock-cdk#3053NithinChandranR-AWS wants to merge 3 commits intoaws-samples:mainfrom
Conversation
- Fix Bedrock model ID default (add -v1:0 suffix for inference profile) - Fix DurableExecution → DurableConfig with ExecutionTimeout - Override runtime to nodejs24.x (required for durable functions) - Remove logRetention to avoid circular dependency with CfnVersion - Use wildcard resource for durable execution IAM permissions Tested: CDK synth verified, deployed to AWS account
| fn.addToRolePolicy( | ||
| new iam.PolicyStatement({ | ||
| actions: ["bedrock:InvokeModel"], | ||
| resources: ["*"], |
There was a problem hiding this comment.
This is too permissive. Can you make it as restrictive as possible to support this use case? Please try out different variation and use what is feasible.
For example,
new iam.PolicyStatement({
actions: ["bedrock:InvokeModel"],
resources: [
`arn:aws:bedrock:${this.region}:${this.account}:inference-profile/${modelId.valueAsString}`,
`arn:aws:bedrock:*::foundation-model/*`,
],
})
);```
There was a problem hiding this comment.
Scoped it down to the specific inference profile ARN and foundation-model/*. The double colon (empty account) is needed because cross-region inference profiles resolve to foundation models in service-owned accounts. Fixed in 7a68a28.
| "lambda:CheckpointDurableExecution", | ||
| "lambda:GetDurableExecutionState", | ||
| ], | ||
| resources: ["*"], |
There was a problem hiding this comment.
This is too permissive. Can you make it as restrictive as possible to support this use case? Please try out different variation and use what is feasible.
For example:
new iam.PolicyStatement({
actions: [
"lambda:CheckpointDurableExecution",
"lambda:GetDurableExecutionState",
],
resources: [fn.functionArn, `${fn.functionArn}:*`],
})
);```
There was a problem hiding this comment.
Replaced the inline policy with the AWSLambdaBasicDurableExecutionRolePolicy managed policy, which covers both lambda:CheckpointDurableExecution and lambda:GetDurableExecutionState. Fixed in 7a68a28.
|
|
||
| // Durable execution permissions (wildcard to avoid circular dep) | ||
| fn.addToRolePolicy( | ||
| new iam.PolicyStatement({ |
There was a problem hiding this comment.
Instead of adding in-line policy to the the role, can you try with AWS Managed policy AWSLambdaBasicDurableExecutionRolePolicy.
Policy definition: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicDurableExecutionRolePolicy.html
Example of how to use this policy: https://docs.aws.amazon.com/lambda/latest/dg/durable-getting-started-iac.html
There was a problem hiding this comment.
Done — switched to AWSLambdaBasicDurableExecutionRolePolicy managed policy via fn.role.addManagedPolicy(). This also covers CloudWatch Logs, complementing the default AWSLambdaBasicExecutionRole. Fixed in 7a68a28.
|
|
||
| ## Testing | ||
|
|
||
| 1. Invoke the durable function (use the published version from the output): |
There was a problem hiding this comment.
Please be specific that user needs to replace <FunctionName> with the value from deploy output.
There was a problem hiding this comment.
Updated — testing instructions now explicitly say to replace and with the values from deploy output, with a concrete example. Fixed in 7a68a28.
| output.json | ||
| ``` | ||
|
|
||
| 2. Since the function includes a wait, the initial invocation returns quickly. Check the durable execution status: |
There was a problem hiding this comment.
Please be specific that user needs to replace <FunctionName> with the value from deploy output.
There was a problem hiding this comment.
Same fix as above — both invoke and status-check commands now reference the deploy output values with examples. Fixed in 7a68a28.
| @@ -0,0 +1,61 @@ | |||
| { | |||
| "title": "Lambda Durable Functions with Amazon Bedrock", | |||
| "description": "Use AWS Lambda durable functions to orchestrate a multi-step AI content pipeline with Amazon Bedrock, featuring automatic checkpointing and failure recovery.", | |||
There was a problem hiding this comment.
The description needs to be 150 char or less.
| @@ -0,0 +1,61 @@ | |||
| { | |||
| "title": "Lambda Durable Functions with Amazon Bedrock", | |||
There was a problem hiding this comment.
AWS Lambda durable functions with Amazon Bedrock
| @@ -0,0 +1,97 @@ | |||
| # Lambda Durable Functions with Amazon Bedrock | |||
There was a problem hiding this comment.
AWS Lambda durable functions with Amazon Bedrock
| --cli-binary-format raw-in-base64-out \ | ||
| output.json | ||
| ``` | ||
|
|
There was a problem hiding this comment.
I tried this:
aws lambda invoke \
--function-name LambdaDurableBedrockStack-DurableBedrockFn3CE0D50D-FF9phCg6tiT9 \
--qualifier 1 \
--payload '{"topic": "Serverless AI workflows with Lambda durable functions"}' \
--cli-binary-format raw-in-base64-out \
output.json
got this error:
aws: [ERROR]: An error occurred (ResourceNotFoundException) when calling the Invoke operation: Function not found: arn:aws:lambda:us-east-1:123456789012:function:LambdaDurableBedrockStack-DurableBedrockFn3CE0D50D-FF9phCg6tiT9:1
Additional error details:
Type: User
Then I tried this:
aws lambda invoke \
--function-name arn:aws:cloudformation:us-east-1:123456789012:stack/LambdaDurableBedrockStack/703aed20-3d3f-11f1-8f52-0affe2f2e12f \
--qualifier 1 \
--payload '{"topic": "Serverless AI workflows with Lambda durable functions"}' \
--cli-binary-format raw-in-base64-out \
output.json
Got this error:
aws: [ERROR]: An error occurred (ValidationException) when calling the Invoke operation: 1 validation error detected: Value 'arn:aws:cloudformation:us-east-1:123456789012:stack/LambdaDurableBedrockStack/703aed20-3d3f-11f1-8f52-0affe2f2e12f' at 'functionName' failed to satisfy constraint: Member must satisfy regular expression pattern: (arn:(aws[a-zA-Z-]*)?:lambda:)?((eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_\.]+)(:(\$LATEST(\.PUBLISHED)?|[a-zA-Z0-9-_]+))?
zsh: command not found: --qualifier
Please provide clearer instruction for testing.
There was a problem hiding this comment.
Fixed -- the stack now publishes a Lambda version (CfnVersion) and exports FunctionVersion in outputs. README rewritten with explicit instructions to use FunctionName and FunctionVersion from cdk deploy output. Fixed in 7a68a28.
- Scope Bedrock InvokeModel to inference-profile and foundation-model ARNs instead of wildcard - Replace inline durable execution policy with AWSLambdaBasicDurableExecutionRolePolicy managed policy - Publish a Lambda version via CfnVersion for qualified invocation - Add FunctionVersion output for testing instructions - Fix README title, clarify testing with explicit placeholder replacement - Trim example-pattern.json description to 128 chars
|
Hello Bishwajit, Thank you for taking time and reviewing. Appreciate it. I've updated each of the comments. Please help review this. |
|
Hi @biswanathmukherjee — just a gentle follow-up. I've addressed all 9 review comments in commit 7a68a28:
Would you be able to take another look when you get a chance? Thank you! |
Replace inline durable execution policy (wildcard resources) with the AWS managed policy for least-privilege IAM, matching the approach recommended in PR aws-samples#3053 review feedback.
3 participants
New Serverless Pattern: Lambda Durable Functions with Amazon Bedrock
Description
Deploys a Lambda durable function that orchestrates a multi-step AI content pipeline using Amazon Bedrock (Claude). Each step is automatically checkpointed — if the function is interrupted, it resumes from the last completed step without re-invoking Bedrock.
Architecture
Invoke → Lambda Durable Function → Bedrock (Claude)
Step 1: Generate Outline ✓ checkpoint
Wait: 5s (simulate review) ✓ checkpoint
Step 2: Expand Draft ✓ checkpoint
Step 3: Summarize ✓ checkpoint
Key Features
@aws/durable-execution-sdk-jswith automatic checkpointingDurableExecution: { Enabled: true }via CfnFunction escape hatchFramework / Language
Testing