This solution is a reference implementation for serverless image processing using AWS and Google APIs. The primary objective is to show how to ingest images from the user into AWS ecosystem and then process them by invoking Google APIs. The solution accepts image data from the user and converts it into text using Google Vision APIs. Then, it invokes Google Natural Language APIs to identify entities in the text (like name of a person, address etc). The solution then sends "First name" and "Last name" found in the text as a response back to the user.
The CloudFormation template contains the following:
- A REST API provided by AWS API Gateway using which user can upload image data for processing.
- An Authorizer lambda which controls access to the REST API using a token based authorization.
- The API Gateway implements an OPTIONS object to allow CORS (Cross-Origin Resource Sharing) support.
- An image processing lambda which invokes Google APIs to extract "First name" and "Last name" from the image provided by user.
- A "node modules" package which contains the dependencies (modules) required by the NodeJS code in image processing lambda. These modules are packaged as a lambda layer.
The Image Processing lambda requires an authentication key in order to invoke Google APIs. A convenient option is to provide the key as an environment variable to the lambda. However, it may not be advisable to hold the key in plain text due to various factors. Also, transmitting the key in plain text from client premise over the Internet to AWS servers should be avoided.
To store and transmit API keys securely, following approach is used:
-
Create a new symmetric Client Managed Key (CMK) using AWS IAM Key Management Service (KMS). Let the key be named
LambdaEnvKey
. -
On your local system, use AWS CLI to encrypt the API key:
aws kms encrypt --key-id alias/LambdaEnvKey --plaintext fileb://key.json --output text --query CiphertextBlob > key-encrypted
- where
key.json
contains the API key andkey-encrypted
is the corresponding encrypted key as output
- where
The encrypted key can now be specified as an environment variable to the image processing lambda. When this lambda is invoked, it uses KMS API to decrypt the key and use it to call Google APIs.
The approach outlined here is just one of the ways to manage API keys. Alternatively, the keys can also be secured using AWS Systems Manager Parameter Store or AWS Secrets Manager service.
The solution already provides a package containing dependencies for NodeJS. It was generated using the following steps:
- Launch an EC2 instance. A standard t2.micro with Amazon Linux 2 AMI (HVM) 64-bit (x86) is sufficient. We will terminate the instance once we generate the dependent libraries.
- Login to the EC2 instance using an SSH client like PuTTY.
- Create a folder named
nodejs
and change directory to this new folder.
mkdir nodejs
cd nodejs
- Copy the package.json file to the EC2 instance and place it inside the
nodejs
folder. - Install the Node Version Manager
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
- Activate
nvm
.
. ~/.nvm/nvm.sh
- Install NodeJS. Since we are using Node v12.x for lambda code, install the corresponding version.
nvm install 12.16.1
- Confirm that
node
has been successfully installed by running the following command:
node --version
It should print the following output:
v12.16.1
- Install the dependencies listed in
package.json
npm install
- We no longer need
package.json
and the newly generatedpackage-lock.json
files.
rm package*
- The dependencies will be placed in "node_modules" folder. Change directory to parent folder and zip the
nodejs
folder.
cd ..
zip -X -r node_modules.zip nodejs
- Open a terminal on your local system and run the following command to copy the zip file to your local system. This example uses PuTTY on Windows.
pscp -i <path to .ppk file> ec2-user@<IP of EC2>:/home/ec2-user/node_modules.zip <your local system folder path>
- Terminate the EC2 instance.
- To invoke Google APIs, you must create a Google Cloud account and generate an API key
- Deploy the CloudFormation template in AWS
- Note the API Endpoint URL generated in "Outputs" tab of CloudFormation Stack
- Convert an image of a business card into base64 format. Several online tools like this one are available. A few sample images are provided with the solution.
- Use a tool like Postman to invoke the REST API by providing the following headers:
Content-Type: application/json
Authorization: <security token that was specified while deploying the CloudFormation template>
Body of the request should be in JSON format:
{
"imgdata": "<base64 image data>"
}
- The API will send a response containing the "First name" and "Last name" identified in the business card image.
- Delete the CloudFormation stack.
- Delete the encryption key created using KMS service.