An AWS Lambda function to facilitate logging and storing chat traces in an S3 bucket, with support for Apple App Attestation to ensure secure and legitimate access.
Note: This Lambda function is specifically designed for sharing chats as URLs and is optional. It is not required for the core functionality of the app, so setting it up is only necessary if you intend to use the chat-sharing feature.
To work with this project, ensure the following prerequisites are met:
- Python 3.11
- AWS Account with configured credentials
- AWS CLI: Command Line Interface for AWS
- AWS SAM CLI: For building and deploying serverless applications
- Docker: For local invocation and builds
- S3 Bucket: For storing chat traces
-
Install AWS CLI Follow the instructions here.
-
Configure AWS CLI Log in and configure the default profile for AWS CLI.
aws configure
-
Install Docker or OrbStack Ensure Docker is installed and running on your system.
-
Install SAM CLI Use the following command:
pip install --upgrade aws-sam-cli
-
Create an .env.json file:
cp .env.example.json .env.json
-
Populate the
.env.jsonfile with the required environment variables:Variable Data Type Default Description BucketNameString None The name of the S3 bucket where the shared conversation traces will be stored. S3LogPrefixString "logs" The prefix for log files in the S3 bucket. S3SharePrefixString "share" The prefix for shared files in the S3 bucket. CertificateAsBytesString None Apple App Attestation Root CA, added to .env.jsonas a single line of text without comments or newlines.HmacShaKeyString None The HMAC SHA key for signing Apple Attest challenges. EnvString "prod" The environment (e.g., prodordev).MaxRequestSizeBytesInteger 50KB The maximum allowed request size in bytes. AppIdString None The application ID in the format {DEVELOPMENT_TEAM_ID}.{PRODUCT_BUNDLE_IDENTIFIER}. To obtain your team Id refer to Locate your team ID. Your Product Bundle Identifier should be in this format: com.domain.app_name (See image below). YourAppIdenvironment variable value is the concatenation of these two ids joined by a period. For example: "ABC1234567.com.domain.app_name"Your
PRODUCT_BUNDLE_IDENTIFIERcan be found here:
-
Build the Lambda function using SAM CLI:
sam build
Alternatively, if you are using vscode press
Cmd + Shift + Bto build. -
Install Python dependencies:
pip install -r src/requirements.txt -t .aws-sam/build
Note: Install dependencies only once unless
src/requirements.txtchanges.
This Lambda implements Apple's App Attestation to ensure requests originate from verified app instances.
There are two execution paths for the lambda that can be tested separately. Bear in mind, attestation is disabled on local invoke since a valid keyId and attestation object need to be retrieved from a a physical device running a legitimate instance of the app.
-
Get the Attest Challenge
-
Using VS Code or Cursor:
Cmd + Shift + P->Run Task->Test GetChallenge -
Or manually:
sam local invoke OlmoeAttestS3LoggingFunction -e tests/get_challenge.json --parameter-overrides $(cat .env.test.json | jq -r 'to_entries | map("\(.key)=\(.value|tostring)") | .[]')
-
-
Share conversation trace
-
Using VS Code or Cursor:
Cmd + Shift + P->Run Task->Test ShareTrace -
Or manually:
sam local invoke OlmoeAttestS3LoggingFunction -e tests/prod_attest.json --parameter-overrides $(cat .env.test.json | jq -r 'to_entries | map("\(.key)=\(.value|tostring)") | .[]')
-
-
Ensure the Lambda is built before deploying.
-
First-time deployment (no
samconfig.toml):sam deploy --guided --parameter-overrides $(cat .env.json | jq -r 'to_entries | map("\(.key)=\(.value|tostring)") | .[]') -
Subsequent deployments:
-
VS Code or Cursor:
Cmd + Shift + P->Run Task->Deploy Lambda -
Or manually:
sam deploy --parameter-overrides $(cat .env.json | jq -r 'to_entries | map("\(.key)=\(.value|tostring)") | .[]')
-