Preparation

Before writing any code, we need to set up three things: an IAM role for Lambda, a DynamoDB table to store songs, and a Cognito user pool for authentication.

1. Create IAM Role for Lambda

Lambda functions need permission to access DynamoDB and write logs to CloudWatch.

  1. Go to IAM ConsoleRolesCreate role
  2. Select AWS serviceLambdaNext

Create IAM role

  1. Search and attach these two policies:

    • AmazonDynamoDBFullAccess
    • CloudWatchLogsFullAccess

  2. Name the role lambda-workshop-roleCreate role

In a real production environment, you would use a more restrictive policy. For this workshop, these managed policies keep things simple.

2. Create DynamoDB Table

We need two tables: one for users and one for songs.

Songs table

  1. Go to DynamoDB ConsoleTablesCreate table

DynamoDB create table

  1. Configure:

    • Table name: songs
    • Partition key: songId (String)
    • Settings: Default settings

  2. Click Create table

DynamoDB table created

Seed some song data

Once the table is created, add a few items manually so GET /songs has data to return.

  1. Click on the songs table → Explore table itemsCreate item
  2. Switch to JSON view and paste:
{
  "songId": { "S": "1" },
  "title": { "S": "Lạc Trôi" },
  "artist": { "S": "Sơn Tùng M-TP" },
  "genre": { "S": "vpop" }
}
  1. Click Create item. Repeat for 1-2 more songs if you want.

3. Create Cognito User Pool

  1. Go to Cognito ConsoleUser poolsCreate user pool

Cognito create user pool

  1. Configure sign-in:

    • Sign-in options: Email
    • Keep other defaults → Next through all steps

  2. On the App client step:

    • App client name: workshop-client
    • Authentication flows: check ALLOW_USER_PASSWORD_AUTH and ALLOW_REFRESH_TOKEN_AUTH
    • Client secret: select Generate a client secret (we need this for the Lambda code)

  3. Name the user pool workshop-poolCreate user pool

Cognito user pool created

  1. Note down these values — you will need them later:
    • User Pool ID (format: us-east-1_XXXXXXX)
    • App client ID
    • App client secret

Create a test user

  1. In your user pool → UsersCreate user

  2. Configure:

    • Email: test@example.com
    • Temporary password: Test@12345
    • Uncheck Send an invitation

  3. The user will be in Force change password state. Set a permanent password via AWS CLI:

aws cognito-idp admin-set-user-password \
  --user-pool-id <YOUR_USER_POOL_ID> \
  --username test@example.com \
  --password "Test@12345" \
  --permanent

The user is now ready to log in.