Skip to main content
AWS SAM (Serverless Application Model) automates the deployment of Lambda functions, API Gateway, and IAM roles. This page walks you through the build and deployment process.

Template Overview

The template.yaml file defines the following resources:

Parameters

ParameterTypeDescriptionRequired
PolicyStoreIdStringID of your AVP policy storeYes
AnthropicApiKeyString (NoEcho)API key for Anthropic ClaudeYes*
*If you don’t plan to use the AI agent feature (avp-agent.html), you can enter placeholder for the AnthropicApiKey. The main lab (index.html) does not require the Anthropic API.

Resources Deployed

API Gateway

AVPDemoApi:
  Type: AWS::Serverless::Api
  Properties:
    Name: avp-demo-api
    StageName: prod
    Cors:
      AllowMethods: "'POST,GET,OPTIONS'"
      AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
      AllowOrigin: "'*'"
  • Stage: prod
  • CORS: Enabled for local development (allows requests from localhost:8000)
  • Endpoints: /check-access, /users, /agent

Lambda: Check Access

CheckAccessFunction:
  Type: AWS::Serverless::Function
  Properties:
    FunctionName: avp-check-access
    CodeUri: lambda/
    Handler: app.lambda_handler
    Runtime: python3.11
    Timeout: 30
    Policies:
      - Statement:
          - Effect: Allow
            Action: verifiedpermissions:IsAuthorized
            Resource: "*"
  • Purpose: Calls AVP’s IsAuthorized API to check if a user can perform an action on a resource
  • Endpoint: POST /check-access
  • Source: lambda/app.py:lambda_handler

Lambda: Get Users

GetUsersFunction:
  Type: AWS::Serverless::Function
  Properties:
    FunctionName: avp-get-users
    CodeUri: lambda/
    Handler: users.lambda_handler
    Runtime: python3.11
  • Purpose: Returns hardcoded demo users and documents for the UI
  • Endpoint: GET /users
  • Source: lambda/users.py:lambda_handler

Lambda: AI Agent

AgentFunction:
  Type: AWS::Serverless::Function
  Properties:
    FunctionName: avp-agent
    CodeUri: lambda/
    Handler: agent.lambda_handler
    Runtime: python3.11
    Timeout: 60
    Environment:
      Variables:
        POLICY_STORE_ID: !Ref PolicyStoreId
        ANTHROPIC_API_KEY: !Ref AnthropicApiKey
  • Purpose: Secure proxy to Anthropic API — AI agent that queries AVP using natural language
  • Endpoint: POST /agent
  • Source: lambda/agent.py:lambda_handler
  • Timeout: 60 seconds (longer than other functions to handle AI processing)
The ANTHROPIC_API_KEY is stored as an encrypted environment variable in Lambda. It is never exposed to the frontend.

Outputs

After deployment, SAM outputs the following values: 
Outputs:
  ApiUrl:
    Description: "URL del API Gateway - usala en el frontend"
    Value: !Sub "https://${AVPDemoApi}.execute-api.${AWS::Region}.amazonaws.com/prod"
  
  AgentEndpoint:
    Description: "Endpoint del agente IA"
    Value: !Sub "https://${AVPDemoApi}.execute-api.${AWS::Region}.amazonaws.com/prod/agent"
You’ll use the ApiUrl to configure the frontend in the next step.

Build and Deploy

1

Navigate to project directory

cd ~/workspace/source/
2

Build the SAM application

sam build
This command:
  • Validates the template.yaml syntax
  • Installs Python dependencies from lambda/requirements.txt
  • Packages Lambda function code
  • Creates a .aws-sam/ directory with build artifacts
Expected output:
Building codeuri: lambda/ runtime: python3.11
Running PythonPipBuilder:ResolveDependencies
Running PythonPipBuilder:CopySource

Build Succeeded

Built Artifacts  : .aws-sam/build
Built Template   : .aws-sam/build/template.yaml
3

Deploy with guided mode

sam deploy --guided
The --guided flag walks you through an interactive deployment wizard.
4

Answer deployment prompts

SAM will ask a series of questions. Use the following answers:
Make sure you have your Policy Store ID from the previous step ready!
PromptAnswerNotes
Stack Nameavp-demoCloudFormation stack name
AWS Regionus-west-2Or your preferred region where AVP is available
Parameter PolicyStoreIdPS1a2b3c4d5e6f7g8h9i0Paste your actual Policy Store ID
Parameter AnthropicApiKeysk-ant-... or placeholderYour Anthropic API key, or placeholder if not using AI agent
Confirm changes before deployyReview changes before applying
Allow SAM CLI to create IAM rolesyRequired for Lambda execution roles
Disable rollbacknKeep rollback enabled for safety
CheckAccessFunction has no authentication. Is this okay?yIntentional for demo purposes
GetUsersFunction has no authentication. Is this okay?yIntentional for demo purposes
AgentFunction has no authentication. Is this okay?yIntentional for demo purposes
Save arguments to configuration fileySaves settings to samconfig.toml for future deploys
SAM configuration file(press ENTER)Uses default samconfig.toml
SAM configuration environment(press ENTER)Uses default environment
The Lambda functions intentionally have no authentication for demo purposes. In a production application, you should implement API Gateway authorization (API keys, Cognito, IAM, etc.).
5

Review and confirm deployment

SAM will show a changeset preview:
Changeset created successfully

CloudFormation stack changeset
--------------------------------------------------
Operation    LogicalResourceId              ResourceType
--------------------------------------------------
+ Add        AVPDemoApi                     AWS::Serverless::Api
+ Add        CheckAccessFunction            AWS::Serverless::Function
+ Add        GetUsersFunction               AWS::Serverless::Function
+ Add        AgentFunction                  AWS::Serverless::Function
+ Add        CheckAccessFunctionRole        AWS::IAM::Role
+ Add        GetUsersFunctionRole           AWS::IAM::Role
+ Add        AgentFunctionRole              AWS::IAM::Role
...
--------------------------------------------------
When prompted:
Deploy this changeset? [y/N]:
Type y and press ENTER to proceed.
6

Wait for deployment to complete

SAM will create the CloudFormation stack and deploy all resources. This takes 2-3 minutes.You’ll see progress updates:
Deploying with following values
===============================
Stack name                   : avp-demo
Region                       : us-west-2
Confirm changeset            : True
...

CloudFormation events from stack operations
--------------------------------------------------
ResourceStatus           ResourceType              LogicalResourceId
--------------------------------------------------
CREATE_IN_PROGRESS       AWS::CloudFormation::Stack avp-demo
CREATE_IN_PROGRESS       AWS::IAM::Role             CheckAccessFunctionRole
CREATE_COMPLETE          AWS::IAM::Role             CheckAccessFunctionRole
CREATE_IN_PROGRESS       AWS::Lambda::Function      CheckAccessFunction
...
CREATE_COMPLETE          AWS::CloudFormation::Stack avp-demo
--------------------------------------------------
7

Copy the API URL from outputs

Save the ApiUrl output — you’ll need it to configure the frontend!
When deployment completes, you’ll see:
CloudFormation outputs from deployed stack
--------------------------------------------------
Outputs
--------------------------------------------------
Key                 ApiUrl
Description         URL del API Gateway - usala en el frontend
Value               https://abc123def4.execute-api.us-west-2.amazonaws.com/prod

Key                 AgentEndpoint
Description         Endpoint del agente IA
Value               https://abc123def4.execute-api.us-west-2.amazonaws.com/prod/agent
--------------------------------------------------

Successfully created/updated stack - avp-demo in us-west-2
Copy the ApiUrl value to your clipboard or a text file.

Verify Deployment

You can verify your deployment in several ways:

AWS Console

  1. CloudFormation: Check the stack status at https://console.aws.amazon.com/cloudformation
    • Stack should show CREATE_COMPLETE status
    • Verify all resources were created successfully
  2. Lambda: Check your functions at https://console.aws.amazon.com/lambda
    • You should see three functions: avp-check-access, avp-get-users, avp-agent
  3. API Gateway: Check your API at https://console.aws.amazon.com/apigateway
    • You should see avp-demo-api with the prod stage deployed

CLI Commands

# Check stack status
aws cloudformation describe-stacks --stack-name avp-demo --query 'Stacks[0].StackStatus'

# List stack outputs
aws cloudformation describe-stacks --stack-name avp-demo --query 'Stacks[0].Outputs'

# Test the /users endpoint
curl https://YOUR_API_URL/users
The /users endpoint should return JSON with demo users and documents.

Redeploying Changes

If you make changes to the Lambda code or template.yaml, redeploy with: 
sam build
sam deploy  # No --guided flag needed, uses saved config
SAM will use the settings saved in samconfig.toml from your initial deployment.

Troubleshooting

Build Failures

Error: Build Failed: PythonPipBuilder:ResolveDependencies
  • Solution: Ensure Python 3.11+ is installed: python3 --version
  • Check that lambda/requirements.txt exists and dependencies are available

Deployment Failures

Error: Unable to upload artifact... Access Denied
  • Solution: Ensure your AWS credentials have permissions to create S3 buckets, Lambda functions, and IAM roles
Error: Policy Store ID is invalid
  • Solution: Verify you copied the correct Policy Store ID from the AVP console. It should start with PS.

Runtime Errors

Error: User: arn:aws:iam::... is not authorized to perform: verifiedpermissions:IsAuthorized
  • Solution: The Lambda execution role should have been created automatically. Check the IAM role permissions in the AWS console.

Next Steps

With your backend deployed, configure the frontend to connect to your API:

Configure Frontend

Update HTML files with your API Gateway URL

Build docs developers (and LLMs) love

Get started for freeTalk to us