Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
serverless-python-requirements
Advanced tools
A Serverless Framework plugin to automatically bundle dependencies from requirements.txt
and make them available in your PYTHONPATH
.
Originally developed by Capital One, now maintained in scope of Serverless, Inc
Capital One considers itself the bank a technology company would build. It's delivering best-in-class innovation so that its millions of customers can manage their finances with ease. Capital One is all-in on the cloud and is a leader in the adoption of open source, RESTful APIs, microservices and containers. We build our own products and release them with a speed and agility that allows us to get new customer experiences to market quickly. Our engineers use artificial intelligence and machine learning to transform real-time data, software and algorithms into the future of finance, reimagined.
sls plugin install -n serverless-python-requirements
This will automatically add the plugin to your project's package.json
and the plugins section of its
serverless.yml
. That's all that's needed for basic use! The plugin will now bundle your python
dependencies specified in your requirements.txt
or Pipfile
when you run sls deploy
.
For a more in depth introduction on how to use this plugin, check out this post on the Serverless Blog
If you're on a mac, check out these notes about using python installed by brew.
Compiling non-pure-Python modules or fetching their manylinux wheels is
supported on non-linux OSs via the use of Docker and official AWS build images.
To enable docker usage, add the following to your serverless.yml
:
custom:
pythonRequirements:
dockerizePip: true
The dockerizePip option supports a special case in addition to booleans of 'non-linux'
which makes
it dockerize only on non-linux environments.
To utilize your own Docker container instead of the default, add the following to your serverless.yml
:
custom:
pythonRequirements:
dockerImage: <image name>:tag
This must be the full image name and tag to use, including the runtime specific tag if applicable.
Alternatively, you can define your Docker image in your own Dockerfile and add the following to your serverless.yml
:
custom:
pythonRequirements:
dockerFile: ./path/to/Dockerfile
With Dockerfile
the path to the Dockerfile that must be in the current folder (or a subfolder).
Please note the dockerImage
and the dockerFile
are mutually exclusive.
To install requirements from private git repositories, add the following to your serverless.yml
:
custom:
pythonRequirements:
dockerizePip: true
dockerSsh: true
The dockerSsh
option will mount your $HOME/.ssh/id_rsa
and $HOME/.ssh/known_hosts
as a
volume in the docker container.
In case you want to use a different key, you can specify the path (absolute) to it through dockerPrivateKey
option:
custom:
pythonRequirements:
dockerizePip: true
dockerSsh: true
dockerPrivateKey: /home/.ssh/id_ed25519
If your SSH key is password protected, you can use ssh-agent
because $SSH_AUTH_SOCK
is also mounted & the env var is set.
It is important that the host of your private repositories has already been added in your
$HOME/.ssh/known_hosts
file, as the install process will fail otherwise due to host authenticity
failure.
You can also pass environment variables to docker by specifying them in dockerEnv
option:
custom:
pythonRequirements:
dockerEnv:
- https_proxy
:checkered_flag: Windows notes
Requires pipenv
in version 2022-04-08
or higher.
If you include a Pipfile
and have pipenv
installed, this will use pipenv
to generate requirements instead of a requirements.txt
. It is fully compatible with all options such as zip
and
dockerizePip
. If you don't want this plugin to generate it for you, set the following option:
custom:
pythonRequirements:
usePipenv: false
If you include a pyproject.toml
and have poetry
installed instead of a requirements.txt
this will use
poetry export --without-hashes -f requirements.txt -o requirements.txt --with-credentials
to generate them. It is fully compatible with all options such as zip
and
dockerizePip
. If you don't want this plugin to generate it for you, set the following option:
custom:
pythonRequirements:
usePoetry: false
Be aware that if no poetry.lock
file is present, a new one will be generated on the fly. To help having predictable builds,
you can set the requirePoetryLockFile
flag to true to throw an error when poetry.lock
is missing.
custom:
pythonRequirements:
requirePoetryLockFile: false
If your Poetry configuration includes custom dependency groups, they will not be installed automatically. To include them in the deployment package, use the poetryWithGroups
, poetryWithoutGroups
and poetryOnlyGroups
options which wrap poetry export
's --with
, --without
and --only
parameters.
custom:
pythonRequirements:
poetryWithGroups:
- internal_dependencies
- lambda_dependencies
Poetry by default generates the exported requirements.txt file with -e
and that breaks pip with -t
parameter
(used to install all requirements in a specific folder). In order to fix that we remove all -e
from the generated file but,
for that to work you need to add the git dependencies in a specific way.
Instead of:
[tool.poetry.dependencies]
bottle = {git = "git@github.com/bottlepy/bottle.git", tag = "0.12.16"}
Use:
[tool.poetry.dependencies]
bottle = {git = "https://git@github.com/bottlepy/bottle.git", tag = "0.12.16"}
Or, if you have an SSH key configured:
[tool.poetry.dependencies]
bottle = {git = "ssh://git@github.com/bottlepy/bottle.git", tag = "0.12.16"}
To help deal with potentially large dependencies (for example: numpy
, scipy
and scikit-learn
) there is support for compressing the libraries. This does
require a minor change to your code to decompress them. To enable this add the
following to your serverless.yml
:
custom:
pythonRequirements:
zip: true
and add this to your handler module before any code that imports your deps:
try:
import unzip_requirements
except ImportError:
pass
Works on non 'win32' environments: Docker, WSL are included
To remove the tests, information and caches from the installed packages,
enable the slim
option. This will: strip
the .so
files, remove __pycache__
and dist-info
directories as well as .pyc
and .pyo
files.
custom:
pythonRequirements:
slim: true
To specify additional directories to remove from the installed packages,
define a list of patterns in the serverless config using the slimPatterns
option and glob syntax. These patterns will be added to the default ones (**/*.py[c|o]
, **/__pycache__*
, **/*.dist-info*
).
Note, the glob syntax matches against whole paths, so to match a file in any
directory, start your pattern with **/
.
custom:
pythonRequirements:
slim: true
slimPatterns:
- '**/*.egg-info*'
To overwrite the default patterns set the option slimPatternsAppendDefaults
to false
(true
by default).
custom:
pythonRequirements:
slim: true
slimPatternsAppendDefaults: false
slimPatterns:
- '**/*.egg-info*'
This will remove all folders within the installed requirements that match
the names in slimPatterns
In some cases, stripping binaries leads to problems like "ELF load command address/offset not properly aligned", even when done in the Docker environment. You can still slim down the package without *.so
files with:
custom:
pythonRequirements:
slim: true
strip: false
Another method for dealing with large dependencies is to put them into a
Lambda Layer.
Simply add the layer
option to the configuration.
custom:
pythonRequirements:
layer: true
The requirements will be zipped up and a layer will be created automatically. Now just add the reference to the functions that will use the layer.
functions:
hello:
handler: handler.hello
layers:
- Ref: PythonRequirementsLambdaLayer
If the layer requires additional or custom configuration, add them onto the layer
option.
custom:
pythonRequirements:
layer:
name: ${self:provider.stage}-layerName
description: Python requirements lambda layer
compatibleRuntimes:
- python3.7
licenseInfo: GPLv3
allowedAccounts:
- '*'
You can omit a package from deployment with the noDeploy
option. Note that
dependencies of omitted packages must explicitly be omitted too.
This example makes it instead omit pytest:
custom:
pythonRequirements:
noDeploy:
- pytest
You can enable two kinds of caching with this plugin which are currently both ENABLED by default.
First, a download cache that will cache downloads that pip needs to compile the packages.
And second, a what we call "static caching" which caches output of pip after compiling everything for your requirements file.
Since generally requirements.txt
files rarely change, you will often see large amounts of speed improvements when enabling the static cache feature.
These caches will be shared between all your projects if no custom cacheLocation
is specified (see below).
Please note: This has replaced the previously recommended usage of "--cache-dir" in the pipCmdExtraArgs
custom:
pythonRequirements:
useDownloadCache: true
useStaticCache: true
There are two additional options related to caching.
You can specify where in your system that this plugin caches with the cacheLocation
option.
By default it will figure out automatically where based on your username and your OS to store the cache via the appdirectory module.
Additionally, you can specify how many max static caches to store with staticCacheMaxVersions
, as a simple attempt to limit disk space usage for caching.
This is DISABLED (set to 0) by default.
Example:
custom:
pythonRequirements:
useStaticCache: true
useDownloadCache: true
cacheLocation: '/home/user/.my_cache_goes_here'
staticCacheMaxVersions: 10
You can specify extra arguments supported by pip to be passed to pip like this:
custom:
pythonRequirements:
pipCmdExtraArgs:
- --compile
You can specify extra arguments to be passed to docker build during the build step, and docker run during the dockerized pip install step:
custom:
pythonRequirements:
dockerizePip: true
dockerBuildCmdExtraArgs: ['--build-arg', 'MY_GREAT_ARG=123']
dockerRunCmdExtraArgs: ['-v', '${env:PWD}:/my-app']
Some pip
workflows involve using requirements files not named
requirements.txt
.
To support these, this plugin has the following option:
custom:
pythonRequirements:
fileName: requirements-prod.txt
Note: this feature does not work with Pipenv/Poetry, it requires requirements.txt
files for your Python modules.
If you have different python functions, with different sets of requirements, you can avoid including all the unecessary dependencies of your functions by using the following structure:
├── serverless.yml
├── function1
│ ├── requirements.txt
│ └── index.py
└── function2
├── requirements.txt
└── index.py
With the content of your serverless.yml
containing:
package:
individually: true
functions:
func1:
handler: index.handler
module: function1
func2:
handler: index.handler
module: function2
The result is 2 zip archives, with only the requirements for function1 in the first one, and only the requirements for function2 in the second one.
Quick notes on the config file:
module
field must be used to tell the plugin where to find the requirements.txt
file for
each function.handler
field must not be prefixed by the folder name (already known through module
) as
the root of the zip artifact is already the path to your function.Sometimes your Python executable isn't available on your $PATH
as python2.7
or python3.6
(for example, windows or using pyenv).
To support this, this plugin has the following option:
custom:
pythonRequirements:
pythonBin: /opt/python3.6/bin/python
For certain libraries, default packaging produces too large an installation,
even when zipping. In those cases it may be necessary to tailor make a version
of the module. In that case you can store them in a directory and use the
vendor
option, and the plugin will copy them along with all the other
dependencies to install:
custom:
pythonRequirements:
vendor: ./vendored-libraries
functions:
hello:
handler: hello.handler
vendor: ./hello-vendor # The option is also available at the function level
The .requirements
and requirements.zip
(if using zip support) files are left
behind to speed things up on subsequent deploys. To clean them up, run:
sls requirements clean
You can also create them (and unzip_requirements
if
using zip support) manually with:
sls requirements install
The pip download/static cache is outside the serverless folder, and should be manually cleaned when i.e. changing python versions:
sls requirements cleanCache
If you are using your own Python library, you have to cleanup
.requirements
on any update. You can use the following option to cleanup
.requirements
everytime you package.
custom:
pythonRequirements:
invalidateCaches: true
Brew wilfully breaks the --target
option with no seeming intention to fix it
which causes issues since this uses that option. There are a few easy workarounds for this:
pythonBin
option.OR
OR
dockerizePip
option.Also, brew seems to cause issues with pipenv, so make sure you install pipenv using pip.
dockerizePip
notesFor usage of dockerizePip
on Windows do Step 1 only if running serverless on windows, or do both Step 1 & 2 if running serverless inside WSL.
Some Python packages require extra OS dependencies to build successfully. To deal with this, replace the default image with a Dockerfile
like:
FROM public.ecr.aws/sam/build-python3.9
# Install your dependencies
RUN yum -y install mysql-devel
Then update your serverless.yml
:
custom:
pythonRequirements:
dockerFile: Dockerfile
Some Python packages require extra OS libraries (*.so
files) at runtime. You need to manually include these files in the root directory of your Serverless package. The simplest way to do this is to use the dockerExtraFiles
option.
For instance, the mysqlclient
package requires libmysqlclient.so.1020
. If you use the Dockerfile from the previous section, add an item to the dockerExtraFiles
option in your serverless.yml
:
custom:
pythonRequirements:
dockerExtraFiles:
- /usr/lib64/mysql57/libmysqlclient.so.1020
Then verify the library gets included in your package:
sls package
zipinfo .serverless/xxx.zip
If you can't see the library, you might need to adjust your package include/exclude configuration in serverless.yml
.
If you wish to exclude most of the files in your project, and only include the source files of your lambdas and their dependencies you may well use an approach like this:
package:
individually: false
include:
- './src/lambda_one/**'
- './src/lambda_two/**'
exclude:
- '**'
This will be very slow. Serverless adds a default "**"
include. If you are using the cacheLocation
parameter to this plugin, this will result in all of the cached files' names being loaded and then subsequently discarded because of the exclude pattern. To avoid this happening you can add a negated include pattern, as is observed in https://github.com/serverless/serverless/pull/5825.
Use this approach instead:
package:
individually: false
include:
- '!./**'
- './src/lambda_one/**'
- './src/lambda_two/**'
exclude:
- '**'
This plugin is compatible with the Scaleway Serverless Framework Plugin to package dependencies for Python functions deployed on Scaleway. To use it, add the following to your serverless.yml
:
provider:
name: scaleway
runtime: python311
plugins:
- serverless-python-requirements
- serverless-scaleway-functions
To handle native dependencies, it's recommended to use the Docker builder with the image provided by Scaleway:
custom:
pythonRequirements:
# Can use any Python version supported by Scaleway
dockerImage: rg.fr-par.scw.cloud/scwfunctionsruntimes-public/python-dep:3.11
deploy --function
supportdeploymentBucket
dockerFile
option
to build a custom docker image, real per-function requirements, and the vendor
optionnoDeploy
support,
switched to adding files straight to zip instead of creating symlinks, and
improved pip cache support when using docker.slim
package optionslimPatternsAppendDefaults
option & fixing per-function packaging when some functions don't have requirements & Porting tests from bats to js!module
propertydockerPrivateKey
optionFAQs
Serverless Python Requirements Plugin
We found that serverless-python-requirements demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.