Follow the step-by-step instructions below to build a serverless backend. Click on each step number to expand the section.

  • Step 1. Create an IAM policy for a custom IAM role

    To grant Lambda permissions to handle backend requests for your website, you create a custom IAM policy that grants permissions for AWS services to perform the following actions:

    • AppStream 2.0 creates a streaming URL. Customers are redirected to this streaming URL when they sign in to the Example Corp. website.
    • Amazon CloudWatch logging is enabled.
    Complete the following steps to create the custom IAM policy.
    1. Open the IAM console at
    2. In the navigation pane, choose Policies.
    3. If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
    4. Choose Create policy.
    5. Choose the JSON tab.
    6. Copy and paste the following JSON policy into the policy document field.
        "Version": "2012-10-17",
        "Statement": [{
                "Effect": "Allow",
                "Action": "appstream:CreateStreamingURL",
                "Resource": [
                "Effect": "Allow",
                "Action": [
                "Resource": "*"

    7. Choose the value for REGION-CODE that corresponds to the AWS Region where your AppStream 2.0 stack and fleet exists. The ACCOUNT-ID-WITHOUT-HYPHENS should be replaced with your AWS Account ID. Replace STACK-NAME and FLEET-NAME with the names of the stack and fleet.
    8. When you’re done, choose Review policy.
    9. For Name, type the following name for your new policy: examplecorp_lambda_saas_policy.
    10. Choose Create policy.

  • Step 2. Create an IAM service role that allows Lambda functions to call AWS services

    Lambda requires an IAM service role to allow the service to access resources in other services on your behalf. Complete the following steps to create an IAM service role and attach the policy that you created to this role.

    1. Open the IAM console at
    2. In the navigation pane, under Roles, choose Create role.
    3. For Select type of trusted entity, keep AWS service selected.
    4. Choose Lambda, and then choose Next: Permissions.
    5. In the Filter policies search box, type examplecorp_lambda_saas_policy. When the policy appears in the list, select the check box next to the policy name.
    6. Choose Next: Tags. Although you can specify a tag for the policy, a tag is not required.
    7. Choose Next: Review.
    8. For Role name, type examplecorp_lambda_saas_role.
    9. Choose Create role.

  • Step 3. Create and configure a Lambda function

    Complete the following steps to create a Lambda function.

    1. Open the Lambda console at
    2. Do one of the following:
        • If you haven’t created any Lambda functions, a Getting Started page displays. Under Getting Started, choose Create a function.
        • If you have created a Lambda function, in the upper right corner of the Functions page, choose Create a function.
    3. On the Create function page, keep Author from scratch selected.
    4. Under Basic information, do the following:
        • For Name, type examplecorp_lambda_saas_function.
        • For Runtime, choose Node.js 8.10.
    5. Under Permissions, choose the icon next to Choose or create an execution role. Then do the following:
        • For Execution role, choose Use an existing role.
        • For Existing role, choose examplecorp_lambda_saas_role from the list.
    6. Choose Create function.
    7. In the Function code section, on the index.js tab, the placeholder code displays. Delete the placeholder code, and copy and paste the following code onto the tab:

    // Copyright 2019, Inc. or its affiliates. All Rights Reserved.
    // SPDX-License-Identifier: Apache-2.0
    const AWS = require('aws-sdk');
    const appstream = new AWS.AppStream;
    exports.handler = (event, context, callback) => {
        if (!event.requestContext.authorizer) { //checks to see if Cognito Authorization has been configured 
            errorResponse('Authorization has not been configured, please configure an authorizer in API Gateway', context.awsRequestId, callback);
        const username =['cognito:username'];
        var params = {
            FleetName: '<Fleet-Name>', /* required */
            StackName: '<Stack-Name>', /* required */
            UserId: username,
            Validity: 5
        createas2streamingurl(params, context.awsRequestId, callback);
    function errorResponse(errorMessage, awsRequestId, callback) { //Function for handling error messaging back to client
        callback(null, {
            statusCode: 500,
            body: JSON.stringify({
                Error: errorMessage,
                Reference: awsRequestId,
            headers: {
                'Access-Control-Allow-Origin': '<origin-domain>', //This should be the domain of the website that originated the request, example: 
    function createas2streamingurl(params, awsRequestId, callback) {
        var request = appstream.createStreamingURL(params);
            on('success', function (response) {
                console.log("Success. AS2 Streaming URL created.");
                var url =;
                callback(null, {
                    statusCode: 201,
                    body: JSON.stringify({
                        Message: url,
                        Reference: awsRequestId,
                    headers: {
                        'Access-Control-Allow-Origin': '<origin-domain>', //This should be the domain of the website that originated the request, example:
            on('error', function (response) {
                console.log("Error: " + JSON.stringify(response.message));
                errorResponse('Error creating AS2 streaming URL.', awsRequestId, callback);

    8. Replace the following variables with your own values:

        • <Stack-Name>
        • <Fleet-Name>
        • <origin-domain>


    • <Stack-Name> is the name of the stack from which you want to create the streaming URL.
    • <Fleet-Name> is the name of the fleet that is associated with the stack from which you want this function to generate streaming URLs.
    • <origin-domain> is the domain of the website originating the request to API Gateway, in this case the full S3 website URL (ex., that you set up for this project.

    9. Save the function and close the Lambda console.