C2C Schema/SmartApp devices with AWS lambda and st-schema

Reference: https://smartthings.developer.samsung.com/docs/guides/smartthings-schema/basics.html

1. Deploy to test

Doc says: Using the AWS CLI, give SmartThings permissions to access your Lambda function.

Downloaded and installed the CLI. Selected a role in th Lamba. Added polices to the role needed for FunctionInvoke. Created a profile using the CLI using my the IAM account number and keys (in the CLI the account number is referred as the “principal”).

aws lambda add-permission --profile --function-name demoSTSchema --statement-id smartthings --principal --action lambda:InvokeFunction

An error occurred (AccessDeniedException) when calling the AddPermission operation: User: arn:aws:iam:::user/ is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:us-east-1:function:demoSTSchema

update 1: Created a very basic simple Schema Lambda that return an error as defined per the Schema spec. When I try to “deploy to test” in the workspace it says the Lambda is invalid. The arn is correct. It seems the authorization is the problem.

update 2: after some time the error changed to below message, but still cannot deploy to test. with “. Failed to connect to partner lambda ARN in us-east-1”

An error occurred (ResourceConflictException) when calling the AddPermission operation: The statement id (smartthings) provided already exists. Please provide a new statement id, or remove the existing statement.

Update 3: Well apparently, the polciy change does not propagate immediately, You need to wait 5 minutes or so before the policy is added on AWS, Adding the lamba on the AP point, also took about 5 minutes to get this response (before that needed to run aws configure again for this region)

aws lambda add-permission --profile debugging --function-name demoSTSchema --statement-id smartthings --principal 2XXXXXX --action lambda:InvokeFunction

{
“Statement”: “{“Sid”:“smartthings”,“Effect”:“Allow”,“Principal”:{“AWS”:“arn:aws:iam::XXXXXXX:root”},“Action”:“lambda:InvokeFunction”,“Resource”:“arn:aws:lambda:ap-northeast-1:XXXXXXX:function:demoSTSchema”}”
}

The policies I used where
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”
“lambda:InvokeFunction”

After executing once again, the ResourceConflict Error came.

But… Deploy to test, still fails…!! :frowning:

Update 4: Note sure but while I was tpying this the ST web page contents changed and stats:. Use 906037444270 for SmartApp and 148790070172 for SmartThings Schema.

Tried the aws tool with 148790070172 on us-east-1 and got :

An error occurred (ResourceConflictException) when calling the AddPermission operation: The statement id (smartthings) provided already exists. Please provide a new statement id, or remove the existing statement.

it also states now :slight_smile:

NOTE : To confirm that the permission is properly granted to the SmartThings account, navigate to the Lambda function page on your AWS console, click the Triggers tab, and click the View function policy down arrow. This will display JSON description showing that SmartThings can now invoke your function.

But can’t find where this function policy is located…

Update 5: Ok, so click the “key” icon “view permissions” in the lambda and the JSON will pop up below… i got:
{
“Version”: “2012-10-17”,
“Id”: “default”,
“Statement”: [
{
“Sid”: “smartthings”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::XXXXXXXX:root”
},
“Action”: “lambda:InvokeFunction”,
“Resource”: “arn:aws:lambda:us-east-1:ZXXXXXX:function:demoSTSchema”
}
]
}

But the XXX is my user ID and not 148790070172. So this is probably why I am still getting Invalid Lambda ARN… Failed to connect to partner lambda ARN in us-east-1

So how TO change that, CLI to remove the function policy for smartthings ?

Update 6: Ok ,use: aws lambda remove-permission --profile --function-name demoSTSchema --statement-id smartthings. Then run the CLI tool (with correct region set) and now
it shows

{
“Version”: “2012-10-17”,
“Id”: “default”,
“Statement”: [
{
“Sid”: “smartthings”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::148790070172:root”
},
“Action”: “lambda:InvokeFunction”,
“Resource”: “arn:aws:lambda:us-east-1:XXXXXXXX:function:demoSTSchema”
}
]
}

where XXX is my user ID. But still getting in the workspace: Failed to connect to partner lambda ARN in us-east-1"

Update 7: so, not sure what happened, but now the workspace is looking for the ap-northeast ARN and it failed , so did the same thing with the CLI and checked the lambda in northeast:

{
“Version”: “2012-10-17”,
“Id”: “default”,
“Statement”: [
{
“Sid”: “smartthings”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::148790070172:root”
},
“Action”: “lambda:InvokeFunction”,
“Resource”: “arn:aws:lambda:ap-northeast-1:244619353444:function:demoSTSchema”
}
]
}

so that looks good. then deploy again… OMG, VOILA IT WORKED… !

Hopefully this post helped someone getting out the same long dolrums. (Took me one working day)

Lessons leaned are:

  1. Add policies to the user in IAM.
  2. Make sure to run aws CLI to create a profile and configure correctly with user keys and region
  3. Run aws CLI to apply the policy to the correct principal specified in the docs.
  4. Wait for approx 5 minutes for the policy to take effect.
  5. Check the lambda “key” icon if the JSON has the correct values. (See above)
  6. Apply the polices to all lambda listed (all regions), The workspace seems to check them all.

Update 8: receive the discovery event in the lamba… Let the fun start… :slight_smile:

2. st-schema

docs says st-schema is a package published to npm by SmartThings. Download the package using npm install .

My environment is a public web-server supporting Oauth2 authorization flows. Have the webhook with C2C Schema and SmartApp working with ST (Getting the messages) but now attempting to use a Lambda . Assume this “st-schema” package is to be installed into the the AWS Lamba project because the code looks for it. How to install ? Where is this package ? How to npm it into the lambda ?

3. Another attempt: Uploading st-schema file with CLI

Found an st-schema file here (https://pypi.org/project/st-schema/#files) but not sure it’s right one. That st-schema is a tar file, changed it into .zip. Create and tried to use same CLI tool to upload it to the lamba function. Also permission errors.

aws lambda update-function-code --function-name demoSTSchema --zip-file fileb://st-schema.zip

An error occurred (UnrecognizedClientException) when calling the UpdateFunctionCode operation: The security token included in the request is invalid.

CREATED A CUSTOM LAMBDA, IS WORKING - CLOSED

4. east-1 arn is mandatory ?

Another issue . Tried just to use the Asia Pacific lamba (removing the US one), thenwhen trying to deploy for test it says “Lambda ARN is required…” Not really sure, but this seems to be a bug in the workspace that us-east1 is always required for tes. .

5. Schema connector Lambda example(s)

I could not find an Lambda example for C2C schema connector. Is there ? started to hack my own, but as long as the ST cloud can’t connect to the lambda, there ain’t much to do. CREATED A CUSTOM LAMBDA, IS WORKING - CLOSED

Hello @debugging, These are supported regions:

Option 1: AWS Lambda

NOTE : Lambdas for SmartThings Schema must be deployed in one of the following regions, based on your availability:

  • ap-northeast-1 (Tokyo)
  • us-east-1 (N. Virginia)
  • eu-west-1 (Ireland)

Change the region from AWS before creating the lambda. Then configure your profile in AWS cli:

You can check the SmartThigs documentation here

Greetings.

There seems to be a bug in smartschema deployment method.
I tried deploying using ap-northeast-1 (Tokyo) and smartthings kept generating an incorrect arn message. In frustration I tried using the North america region for the lambda and the arn was accepted.