Event-based image upload to AWS S3

Edge image analysis in Axis cameras is today focused on surveillance use-cases. At the same time there are so many more use-cases that can be solved, which we aim to describe in this article. The use of a 2nd opinion image analysis is a good approach to keep costs down and at the same time increase the quality of the total series of image analysis.

The first image analysis, performed at the edge in the camera, can be a motion detection that triggers an event capturing a series of snapshots automatically uploaded to AWS cloud for a 2nd opinion and deeper image analysis.

With an Axis network camera and its event system in combination with the AWS API Gateway, Lambda and S3 storage services, a secure upload of images can be accomplished. Amazon Rekognition service can then analyze the images from the S3 bucket to trigger further actions.

This article describes how to setup the cloud services needed and how to configure the event system in the Axis network camera to upload the images.

• A network camera from Axis Communications
• Install AWS CLI version 2
• Install AWS SAM Client
• Install Node.js

The solution setup is divided into two sections, one for the AWS setup and one for the Axis camera setup.

The AWS services and camera configurations needed in order to send an image to S3 is managed via an example application that can be downloaded from Axis Communications GitHub repository.

GitHub repository

The application consists of the following AWS resources:

• API Gateway
• Lambda functions
• Secret stored in Secrets Manager
• S3 bucket

As the camera is not able to sign requests using AWS Signature Version 4 we need to include a Lambda function to handle this step. Rather than sending images directly from the Axis camera to AWS S3 we instead send them to an API Gateway. The API Gateway delegates authorization to a Lambda authorizer that compares the provided access token to an access token stored in Secrets Manager. If the provided access token is deemed valid the API Gateway forwards the request to a Lambda function that proceeds with uploading the provided image to an AWS S3 bucket.

Clone GitHub repository

• The example application can be cloned from the GitHub repository: https://github.com/AxisCommunications/acap-integration-examples-aws
• After cloning the repository, navigate into the repository directory called “images-to-aws-s3” using your CLI terminal.

AWS Authentication

In your CLI terminal, start by authenticate the access to AWS.

Deployment of AWS resources

Now that you are authenticated against AWS, let's start with building and deploying the AWS services receiving the snapshots sent from a network camera.

The service resources are described in template.yaml using the AWS Serverless Application Model (AWS SAM).

Run:

sam build

sam deploy --guided

The first command will build the source of your application. The second command will package and deploy your application to AWS, with a series of prompts.

• Stack Name: The name of the stack to deploy to CloudFormation. This should be unique to your account and region, and a good starting point would be images-to-aws-s3 or something similar.
   
• AWS Region: The AWS region you want to deploy your app to.
   
• Confirm changes before deploy: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.
   
• Allow SAM CLI IAM role creation: This AWS SAM template creates AWS IAM roles required for the AWS Lambda function to access AWS services. By default, these are scoped down to minimum required permissions. Select Y to have SAM automatically create the roles.
   
• Save arguments to samconfig.toml: If set to Y, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run sam deploy without parameters to deploy changes to your application.
   

SAM script output

After a successful deployment, navigate to your newly created AWS CloudFormation stack in the AWS Console. You'll find the AWS API Gateway forwarding requests to AWS Lambda, and the Lambda in turn will save the image snapshots into an AWS S3 bucket.

The deployed CloudFormation stack created three output parameters. One is called Recipient which defines the URL of the AWS API Gateway where cameras should send their snapshots. Another is called AccessToken and contains the URL to the secret API access token found in AWS Secret Manager. This API access token authorizes the camera and allows it to send snapshots.

Enter the link to the AccessToken in your browser to go directly to where you will find the secret. The secret is needed in your AWS API Gateway in order to authenticate the image upload.

In the camera you need to setup a HTTPS recipient to the AWS API Gateway and an event in the camera that is used as a trigger when an image should be uploaded.

Logon to the camera and navigate to the System tab and click on Events.

In the Recipients tab click the plus sign to add the API Gateway recipient URL. No username and password are needed here, the authentication is handled via the access token (AccessToken) that you will enter in the Rules section under custom CGI parameter. See next section.

In the Rules tab click the plus sign to add a condition for when to send an image to S3. Set post buffer to 1 second and the number of images to be sent (more information on how to capture an image snapshot can be found on AXIS OS Portal User manual). Add the AccessToken under Custom CGI parameters.

Logon to the AWS Console and go to S3 to verify that images are uploaded correctly.