Add documentation for creating AWS Lambda proxy for Alexa Intents (#10813)

* Add documentation for configuring Alexa Intents AWS Lambda function * Some clean up and SPG fixes * Remove spurious 'Smart Home' references * Wrap images in <p class='img'> in Alexa AWS documentation * Only mention Duck DNS addon for https since it incorporates Let's Encrypt * Use [text](url) link syntax rather than <url>
2025-07-14 12:56:54 +00:00 · 2019-10-23 04:44:29 +00:00 · 2019-10-23 04:44:29 +00:00 · ba419d48d6
commit ba419d48d6
parent 8d22a4f4f8
2 changed files with 103 additions and 15 deletions
--- a/source/_integrations/alexa.intent.markdown
+++ b/source/_integrations/alexa.intent.markdown
@ -17,17 +17,11 @@ The built-in Alexa integration allows you to integrate Home Assistant into Alexa

 ### Requirements

-Amazon requires the endpoint of a skill to be hosted via SSL. Self-signed certificates are OK because our skills will only run in development mode. Read more on [our blog][blog-lets-encrypt] about how to set up encryption for Home Assistant. When running Hass.io, using the [Let's Encrypt](/addons/lets_encrypt/) and [Duck DNS](/addons/duckdns/) add-ons is the easiest method. If you are unable to get HTTPS up and running, consider using [this AWS Lambda proxy for Alexa skills](https://community.home-assistant.io/t/aws-lambda-proxy-custom-alexa-skill-when-you-dont-have-https/5230).
+- Amazon Developer Account. You can sign on [here](https://developer.amazon.com).
+- An [AWS account](https://aws.amazon.com/free/) is need if you want to use Alexa Custom Skill API. Part of your Alexa Custom Skill will be hosted on [AWS Lambda](https://aws.amazon.com/lambda/pricing/). However you don't need worry the cost, AWS Lambda allow free to use up to 1 millions requests and 1GB outbound data transfer per month.
+- The Alexa Custom Skill API also needs your Home Assistant instance can be accessed from Internet. We strongly suggest you host HTTPS server and use validation certificate. Read more on [our blog](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) about how to set up encryption for Home Assistant. When running Hass.io using the [Duck DNS](/addons/duckdns/) add-on is the easiest method.

-Additionally, note that at the time of this writing, your Alexa skill endpoint *must* accept requests over port 443 (Home Assistant default to 8123). There are two ways you can handle this:
-
-  1. In your router, forward external 443 to your Home Assistant serving port (defaults to 8123)
-  OR
-  2. Change your Home Assistant serving port to 443 this is done in the [`http`](/integrations/http/) section with the `server_port` entry in your `configuration.yaml` file
-
-[blog-lets-encrypt]: /blog/2015/12/13/setup-encryption-using-lets-encrypt/
-
-To get started with Alexa skills:
+### Create Your Amazon Alexa Custom Skill

 - Log in to [Amazon developer console][amazon-dev-console]
 - Click the Alexa button at the top of the console
@ -36,12 +30,96 @@ To get started with Alexa skills:
  - Name: Home Assistant
  - Invocation name: home assistant (or be creative, up to you)
  - Version: 1.0
-  - Endpoint:
-    - https
-    - `https://YOUR_HOST/api/alexa?api_password=YOUR_API_PASSWORD`
+  - Endpoint: This will be the ARN for the Lambda Function you will create next.

 You can use this [specially sized Home Assistant logo][large-icon] as the large icon and [this one][small-icon] as the small one.

+### Create Your Lambda Function
+
+The Alexa Custom skill will trigger a AWS Lambda function to process the request, we will write a small piece of code hosted as a Lambda function to basically redirect the request to your Home Assistant instance, then the Alexa integration in Home Assistant will process the request and send back the response. Your Lambda function will deliver the response back to Alexa.
+
+OK, let's go. You first need sign in your [AWS console](https://console.aws.amazon.com/), if you don't have an AWS account yet, you can create a new user [here](https://aws.amazon.com/free/) with 12-month free tier benefit. You don't need worry the cost if your account has already passed the first 12 months, AWS provides up to 1 million Lambda requests, 1GB of outbound data and unlimited inbound data for free every month for all users. See [Lambda pricing](https://aws.amazon.com/lambda/pricing/) for details.
+
+#### Create an IAM Role for Lambda 
+
+The first thing you need to do after you sign in to the [AWS console](https://console.aws.amazon.com/) is to create an IAM Role for Lambda execution. AWS has very strict access control, you have to explicitly define and assign the permissions.
+
+- Click `Service` in top navigation bar, expand the menu to display all AWS services, click `IAM` under `Security, Identity, & Compliance` section to navigate to IAM console. Or you may use this [link](https://console.aws.amazon.com/iam/home)
+- Click `Roles` in the left panel, then click `Create role`, select `AWS Service` -> `Lambda` in the first page of the wizard, then click `Next: Permissions`
+- Select `AWSLambdaBasicExecutionRole` policy, then click `Next: Tags`. (Tips: you can use the search box to filter the policy)
+
+<p class='img'>
+  <img src='/images/integrations/alexa/create_iam_role_attach_permission.png' alt='Screenshot: Attach permission policy to IAM role'>
+</p>
+
+- You can skip `Add tags` page, click `Next: Review`.
+- Give your new role a name, such as `AWSLambdaBasicExecutionRole-Intents`, then click `Create role` button. You should be able to find your new role in the roles list now.
+
+#### Create a Lambda function and add code
+
+Next you need to create a Lambda function.
+
+- Click `Service` in top navigation bar, expand the menu to display all AWS services, click `Lambda` under `Compute` section to navigate to Lambda console. Or you may use this [link](https://console.aws.amazon.com/lambda/home)
+- **IMPORTANT** Your current region will be displayed on the top right corner, make sure you select right region base on your Amazon account's country:
+  * **US East (N.Virginia)** region for English (US) or English (CA) skills
+  * **EU (Ireland)** region for English (UK), English (IN), German (DE), Spanish (ES) or French (FR) skills
+  * **US West (Oregon)** region for Japanese and English (AU) skills. 
+- Click `Functions` in the left navigation bar, display list of your Lambda functions.
+- Click `Create function`, select `Author from scratch`, then input a `Function name`.
+- Select *Python 3.6* or *Python 3.7* as `Runtime`.
+- Select *Use an existing role* as `Execution role`, then select the role you just created from the `Existing role` list.
+- Click `Create function`, then you can config detail of Lambda function.
+- Under `Configuration` tab, expand `Designer`, then click `Alexa Skills Kit` in the left part of the panel to add a Alexa Skills Kit trigger to your Lambda function.
+- Scroll down little bit, you need to input the `Skill ID` from the skill you created in previous step. (You may need to switch back to the Alexa Developer Console to copy the `Skill ID`.)
+- Click your Lambda Function icon in the middle of the diagram and scroll down, you will see a `Function code` window.
+- Clear the example code and copy the Python script from: [https://gist.github.com/lpomfrey/97381cf4316553b03622c665ae3a47da](https://gist.github.com/lpomfrey/97381cf4316553b03622c665ae3a47da)
+- Scroll down again and you will find `Environment variables`, add the following environment variables as needed:
+  * BASE_URL *(required)*: your Home Assistant instance's Internet accessible URL with port if needed. *Do not include the trailing `/`*.
+  * NOT_VERIFY_SSL *(optional)*: set to *True* to ignore the SSL issue, if you don't have a valid SSL certificate or you are using self-signed certificate.
+  * DEBUG *(optional)*: set to *True* to log debugging messages.
+  * LONG_LIVED_ACCESS_TOKEN *(optional, not recommended)*: you will connect your Alexa Custom skill with your Home Assistant user account in the later steps, so that you don't need to use long-lived access token here. However, the access token you got from login flow is only valid for 30 minutes. It will be hard for you to test lambda function with the access token in test data. So for your convinces, you can remove the access token from the test data, [generate a long-lived access token][generate-long-lived-access-token] put here, then the function will fall back to reading the token from environment variables. (tips: You did not enable the security storage for your environment variables, so your token saved here is not that safe. You should only use it for debugging and testing purpose. You should remove and delete the long-lived access token after you finish the debugging.) 
+
+<p class='img'>
+  <img src='/images/integrations/alexa/lambda_function_env_var.png' alt='Screenshot: Environment variables in Lambda function'>
+</p>
+
+- Now scroll up to the top and click the `Save` button.
+- Next, copy the ARN displayed in the top of the page, which is the identify of this Lambda function. Set the end point of the custom Alexa Skill you created earlier to this value.
+
+### Account Linking
+
+Alexa can link your Amazon account to your Home Assistant account. Therefore Home Assistant can make sure only authenticated Alexa requests are actioned. In order to link the account, you have to make sure your Home Assistant can be accessed from Internet.
+
+- Sign in to the [Alexa Developer Console][alexa-dev-console] and go to the `Alexa Skills` page.
+- Find the skill you just created and click `Edit` in the `Actions` column.
+- Click `ACCOUNT LINKING` in the left navigation bar of build page
+- Input all information required. Assuming your Home Assistant can be accessed by https://[YOUR HOME ASSISTANT URL:PORT]
+  * `Authorization URI`: https://[YOUR HOME ASSISTANT URL:PORT]/auth/authorize
+  * `Access Token URI`: https://[YOUR HOME ASSISTANT URL:PORT]/auth/token
+  * `Client ID`:
+    - https://pitangui.amazon.com/ if you are in US
+    - https://layla.amazon.com/ if you are in EU
+    - https://alexa.amazon.co.jp/ if you are in JP or AU
+    
+    The trailing slash is important here.
+
+  * `Client Secret`: input anything you like, Home Assistant does not check this field
+  * `Client Authentication Scheme`: make sure you selected *Credentials in request body*. Home Assistant does not support *HTTP Basic*.
+  * `Scope`: input `intent`. Home Assistant doesn't use this yet, we may use it in the future when we allow more fine-grained access control.
+- You can leave `Domain List` and `Default Access Token Expiration Time` as empty.
+
+<p class='img'>
+  <img src='/images/integrations/alexa/account_linking.png' alt='Screenshot: Account Linking'>
+</p>
+
+- Click `Save` button in the top right corner.
+- Next, you will use the Alexa Mobile App or [Alexa web-based app](#alexa-web-based-app) to link your account.
+  * Open the Alexa app, navigate to `Skills` -> `Your Skills` -> `Dev Skills`
+  * Click the Custom skill you just created.
+  * Click `Enable`.
+  * A new window will open to direct you to your Home Assistant's login screen.
+  * After you successfully login, you will be redirected back to Alexa app.
+
 ### Configuring your Amazon Alexa skill

 Alexa works based on intents. Each intent has a name and variable slots. For example, a `LocateIntent` with a slot that contains a `User`. Example intent schema:
@ -266,3 +344,4 @@ Alexa will now respond with a random phrase each time. You can use the include f
 [large-icon]: /images/integrations/alexa/alexa-512x512.png
 [small-icon]: /images/integrations/alexa/alexa-108x108.png
 [templates]: /topics/templating/
+[generate-long-lived-access-token]: https://developers.home-assistant.io/docs/en/auth_api.html#long-lived-access-token
--- a/source/_integrations/alexa.smart_home.markdown
+++ b/source/_integrations/alexa.smart_home.markdown
@ -37,7 +37,7 @@ For Home Assistant Cloud Users, documentation can be found [here](https://www.na

 - Amazon Developer Account. You can sign on [here](https://developer.amazon.com).
 - An [AWS account](https://aws.amazon.com/free/) is need if you want to use Smart Home Skill API. Part of your Smart Home Skill will be hosted on [AWS Lambda](https://aws.amazon.com/lambda/pricing/). However you don't need worry the cost, AWS Lambda allow free to use up to 1 millions requests and 1GB outbound data transfer per month.
- Smart Home API also needs your Home Assistant instance can be accessed from Internet. We strongly suggest you host HTTPS server and use validation certificate. Read more on [our blog](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) about how to set up encryption for Home Assistant. When running Hass.io, using the [Let's Encrypt](/addons/lets_encrypt/) and [Duck DNS](/addons/duckdns/) add-ons is the easiest method.
+- Smart Home API also needs your Home Assistant instance can be accessed from Internet. We strongly suggest you host HTTPS server and use validation certificate. Read more on [our blog](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) about how to set up encryption for Home Assistant. When running Hass.io using the [Duck DNS](/addons/duckdns/) add-on is the easiest method.

 ### Create Your Amazon Alexa Smart Home Skill

@ -46,7 +46,9 @@ For Home Assistant Cloud Users, documentation can be found [here](https://www.na
 - Input `Skill name` as you like, select your skill's `Default language`.
 - Select `Smart Home` and `Provision your own`, then click `Create skill` button at top right corner.

+<p class='img'>
  <img src='/images/integrations/alexa/create_a_new_skill.png' alt='Screenshot: Create Smart Home skill'>
+</p>

 - In next screen, make sure *v3* is selected in `Payload version`.
 - Now, you have created a skeleton of Smart Home skill. Next step we will do some "real" developer work. You can keep Alex Developer Console opened, we need change the skill configuration later.
@ -75,7 +77,9 @@ First thing you need to do after sing in [AWS console](https://console.aws.amazo
 - Click `Roles` in the left panel, then click `Create role`, select `AWS Service` -> `Lambda` in the first page of the wizard, then click `Next: Permissions`
 - Select `AWSLambdaBasicExecutionRole` policy, then click `Next: Tags`. (Tips: you can use the search box to filter the policy)

+<p class='img'>
  <img src='/images/integrations/alexa/create_iam_role_attach_permission.png' alt='Screenshot: Attach permission policy to IAM role'>
+</p>

 - You can skip `Add tags` page, click `Next: Review`.
 - Give your new role a name, such as `AWSLambdaBasicExecutionRole-SmartHome`, then click `Create role` button. You should be able to find your new role in the roles list now.
@ -97,13 +101,16 @@ Next you need create a Lambda function.
 - Under `Configuration` tab, expand `Designer`, then click `Alexa Smart Home` in the left part of the panel to add a Alexa Smart Home trigger to your Lambda function.
 - Scroll down little bit, you need input the `Skill ID` from the skill you created in previous step. (tips: you may need switch back to Alexa Developer Console to copy the `Skill ID`.
 - Click your Lambda Function icon in the middle of the diagram, scroll down you will see a `Function code` window.
- Clear the example code, copy the Python script from: <https://gist.github.com/matt2005/744b5ef548cc13d88d0569eea65f5e5b> (modified code to support Alexa's proactive mode, see details below)
+- Clear the example code, copy the Python script from: [https://gist.github.com/matt2005/744b5ef548cc13d88d0569eea65f5e5b](https://gist.github.com/matt2005/744b5ef548cc13d88d0569eea65f5e5b) (modified code to support Alexa's proactive mode, see details below)
 - Scroll down a little bit, you will find `Environment variables`, you need add 4 environment variables:
  * BASE_URL *(required)*: your Home Assistant instance's Internet accessible URL with port if needed. *Do not include the trailing `/`*.
  * NOT_VERIFY_SSL *(optional)*: you can set it to *True* to ignore the SSL issue, if you don't have a valid SSL certificate or you are using self-signed certificate.
  * DEBUG *(optional)*: set to *True* to log the debug message
  * LONG_LIVED_ACCESS_TOKEN *(optional, not recommend)*: you will connect your Alexa Smart Home skill with your Home Assistant user account in the later steps, so that you don't need to use long-lived access token here. However, the access token you got from login flow is only valid for 30 minutes. It will be hard for you to test lambda function with the access token in test data. So for your convinces, you can remove the access token from the test data, [generate a long-lived access token][generate-long-lived-access-token] put here, then the function will fall back to read token from environment variables. (tips: You did not enable the security storage for your environment variables, so your token saved here is not that safe. You should only use it for debugging and testing purpose. You should remove and delete the long-lived access token after you finish the debugging.) 
+
+<p class='img'>
  <img src='/images/integrations/alexa/lambda_function_env_var.png' alt='Screenshot: Environment variables in Lambda function'>
+</p>

 - Now scroll up to the top, click `Save` button.
 - You need copy the ARN displayed in the top of the page, which is the identify of this Lambda function. You will need this ARN to continue Alexa Smart Home skill configuration later.
@ -178,7 +185,9 @@ Alexa can link your Amazon account to your Home Assistant account. Therefore Hom
  * `Scope`: input `smart_home`, Home Assistant is not using it yet, we may use it in the future when we allow more fine-grained access control.
 - You can leave `Domain List` and `Default Access Token Expiration Time` as empty.

+<p class='img'>
  <img src='/images/integrations/alexa/account_linking.png' alt='Screenshot: Account Linking'>
+</p>

 - Click `Save` button in the top right corner.
 - Next, you will use Alexa Mobile App or [Alexa web-based app](#alexa-web-based-app) to link your account.