Important

The blueprints and code samples provided in this section are for reference and demonstration purposes only, delivered on an "as-is" basis. While these resources help illustrate how to connect Veridas services with third-party platforms, the final implementation, testing, and ongoing maintenance are the sole responsibility of the client. Our team does not guarantee continuous updates, long-term compatibility, or dedicated technical support for these sample integrations.

Important

The following is a text extracted directly from the Veridas "Amazon Connect IVR Blueprint" repository, which includes all the artifacts required for the deployment of the Amazon Connect IVR Blueprint. If you are interested in deploying Amazon Connect IVR Blueprint in your AWS environment, please contact the Veridas team to gain access to the repository and begin your integration.

Amazon Connect IVR Blueprint¶

This project contains all required resources to deploy Veridas Amazon Connect IVR Blueprint into an AWS environment.

This blueprint enables a plug-and-play deployment of an integration for a IVR voice authentication scenario with Veridas services within Amazon Connect. Under the hood, it uses the following Veridas services:

VSS (Veridas Streaming Service): for receiving and processing audio from Amazon Connect via Amazon Kinesis Video Streams.
VCSP (Veridas Credential Service Provider): for generating, storing, and managing biometric credentials and handling authentication.

The deployment will provide an AWS lambda funcion that can be used to build a voice authentication scenario. Additionally, an example flow demonstrating the use of this lambda will be included.

Deploy instructions¶

Important

This section assumes that the integrator has an AWS Amazon Connect active instance and possesses platform administration knowledge. No details regarding Amazon Connect administration are provided here. In case of any doubts, it is recommended to consult the official Amazon Connect documentation.

1. Configure authorization¶

As a prerequisite, authorization must be configured to grant Veridas access to Kinesis Video Streams steams. Follow steps in authorization section.

2. Configure AWS IAM¶

In order to give Amazon Connect IVR Blueprint the necessary permissions to deploy resources in your AWS account, an AWS user must be configured with required permissions.

2.1. Create AWS Policy¶

Go to IAM > Policies, click on Create policy and fill in with the following details (no detailed information can be left with default values):

Policy editor (JSON):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaExecutionRole",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:GetRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PassRole",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda_exec_role*"
        },
        {
            "Sid": "LambdaRequestsLayer",
            "Effect": "Allow",
            "Action": [
                "lambda:PublishLayerVersion",
                "lambda:GetLayerVersion",
                "lambda:ListLayerVersions",
                "lambda:DeleteLayerVersion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LambdaFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:UpdateFunctionCode",
                "lambda:GetFunction",
                "lambda:ListTags"
            ],
            "Resource": "arn:aws:lambda:<AWS_REGION>:<AWS_ACCOUNT_ID>:function:veridas_client*"
        },
        {
            "Sid": "LambdaFunctionVersions",
            "Effect": "Allow",
            "Action": "lambda:ListVersionsByFunction",
            "Resource": "*"
        },
        {
            "Sid": "LambdaCodeSigning",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionCodeSigningConfig",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:<AWS_REGION>:<AWS_ACCOUNT_ID>:function:veridas_client*"
        },
        {
            "Sid": "LambdaFunctionDelete",
            "Effect": "Allow",
            "Action": "lambda:DeleteFunction",
            "Resource": "*"
        },
        {
            "Sid": "LambdaPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:GetPolicy"
            ],
            "Resource": "arn:aws:lambda:<AWS_REGION>:<AWS_ACCOUNT_ID>:function:veridas_client*"
        },
        {
            "Sid": "ConnectFlow",
            "Effect": "Allow",
            "Action": [
                "connect:CreateContactFlow",
                "connect:UpdateContactFlowContent",
                "connect:DescribeContactFlow",
                "connect:ListContactFlows"
            ],
            "Resource": "arn:aws:connect:<AWS_REGION>:<AWS_ACCOUNT_ID>:instance/f1f87e8c-ae31-4f00-86dd-ea630fcd9fe5/contact-flow/*"
        },
        {
            "Sid": "ConnectFlowDelete",
            "Effect": "Allow",
            "Action": "connect:DeleteContactFlow",
            "Resource": "*"
        },
        {
            "Sid": "ConnectFlowDescribe",
            "Effect": "Allow",
            "Action": "connect:DescribeContactFlow",
            "Resource": "*"
        }
    ]
}

Policy name (choose a meaningful name): Veridas_IVR_Blueprint

Note

Note that the applied permissions are the minimum required to make Amazon Connect IVR Blueprint work. We recommend reviewing these permissions and verifying that they comply with security policies.

2.2. Create AWS User group¶

Go to IAM > User groups, click on Create user group and fill in with the following details (no detailed information can be left with default values):

User group name (choose a meaningful name): Veridas_IVR_Blueprint
Attach permissions policies: - Veridas_IVR_Blueprint (Customer managed)

2.3. Create AWS User¶

Go to IAM > Users, click on an Create user and fill in with the following details (no detailed information can be left with default values):

User name (choose a meaningful name): Veridas_IVR_Blueprint
Permissions options: Add user to group
User groups: Veridas_IVR_Blueprint

Note

Note that in this examples a new user is created and assigned to previously created User group. However an already existing user could be assigned to the User group.

2.4. Create access key¶

Lastly, create a new access key for the created user so it can use it in a local development environment to access AWS.

Click on the created user (Veridas_IVR_Blueprint in this example) and click on Create access key. Then click on Local code and click Next (understanding AWS recommendations). Finally, click on Create access key and save the generated Access key (<AWS_ACCESS_KEY>) and Secret access key(<AWS_ACCESS_SECRET_KEY>).

3. Configure AWS CLI¶

Deploying to AWS with Terraform requires the AWS CLI to be installed and configured with proper credentials and region settings, so Terraform can manage resources correctly.

3.1. Install AWS CLI¶

Before continuing, please make sure to install the AWS CLI.

3.2. Create local AWS profile¶

Once AWS CLI is installed, make sure to configure a new profile with the credentials generated for the new user.

$ aws configure --profile Veridas_IVR_Blueprint
AWS Access Key ID [None]: `<AWS_ACCESS_KEY>`
AWS Secret Access Key [None]: `<AWS_ACCESS_SECRET_KEY>`
Default region name [None]: `<AWS_REGION>`
Default output format [None]: `json`

This creates a new called Veridas_IVR_Blueprint AWS CLI profile related to the previously created user that will be used for deploying.

4. Create a new terraform environment¶

Amazon Connect IVR Blueprint uses Terraform as a tool to deploy all the necessary Amazon Connect infrastructure and maintain change control. Make sure to install Terraform before continue.

The entire source code is located within the src folder, which contains two subdirectories:

modules: Contains reusable Terraform modules with all the logic for creating resources.
environments: Contains environment-specific “root modules” (dev, staging, prod). Each environment has its own main.tf that calls the modules and a terraform.tfvars with environment-specific variables.

There already exists a default environment that can be used, but for the shake of learning, let's create another environment and let's name it "sandbox". To do this, just create a new folder called sandbox within environments and copy the main.tf and variables.tf from the default environment.

5. Fill in terraform variables¶

Using the template located in src/environments/terraform.tfvars.template, create a new terraform.tfvars file within the src/environments/sandbox/ directory and fill it with the following values:

aws_profile: Name of the previously created AWS profile (profiles are typically defined within ~/.aws/credentials directory).
aws_region: AWS region to be used to deploy resources.
amazon_connect_instance_id: Amazon Connect instance ID used to deploy the IVR flow.
base_url: URL provided by Veridas pointing to Veridas services.
apikey: API Key provided by Veridas to authenticate within Veridas services.
external_id: Unique value provided by the customer to Veridas to securely assume a role and prevent unauthorized access (see Authorization).

6. Deploy resources¶

Once the environment is fully described to start deploy run:

terraform init

This prepares the project directory by initializing the backend and downloading the providers. After that, to deploy the resources:

terraform apply -auto-approve

Note

If any change is required, run terraform apply again after applying the corresponding changes to the source code. Terraform will keep track of the changes for you.

When you don't need deplyed resources anymore you can destroy them by running:

terraform destroy -auto-approve

Important

Although this Terraform code has been tested and verified, it is highly recommended that the client reviews which resources will be created, modified, or deleted in their AWS account befor applying.

7. Assign a phone¶

Once deployed, a new Example Flow sandbox inbound flow will be available in your Amazon Connect instance. Just assign an active phone number to this flow and start using it by making calls.

This Example Flow sandbox is just an example flow that demonstrates what you can do with Veridas Amazon Connect IVR Blueprint and how to do it. Feel free to integrate voice authentication in your existing flows by using deployed AWS Lambda Function API.

Deployed resources¶

Resource Type	Name / Identifier	Purpose
AWS Lambda Layer	`aws_lambda_layer_version.requests_layer`	A reusable Lambda layer containing the `requests` Python library, which can be attached to multiple Lambda functions.
AWS Lambda Function	`aws_lambda_function.veridas_client`	Implements the Veridas client logic, includes environment variables (`BASE_URL`, `APIKEY`, `EXTERNAL_ID`), and attaches the requests layer (see AWS Lambda Function API).
IAM Role for Lambda	`aws_iam_role.lambda_exec`	Role assumed by the Lambda function to execute with proper permissions.
IAM Role Policy Attachment	`aws_iam_role_policy_attachment.lambda_logs`	Attaches the AWS-managed policy `AWSLambdaBasicExecutionRole` to the Lambda role, granting basic logging permissions.
Lambda Permission for Connect	`aws_lambda_permission.connect_invoke`	Allows Amazon Connect to invoke the Lambda function when needed.
Amazon Connect Contact Flow	`aws_connect_contact_flow.example_flow`	Creates a custom contact flow in the specified Amazon Connect instance using the JSON workflow file (`example_workflow.json`).

Once deployed, Example Flow flow must be assigned to a valid number in Amazon Connect so new incoming calls can be redirected to it.

Be aware that Example Flow is just an example of how to use deployed resources to set up a voice authentication demo. Feel free to create new flows with your custom behavior using deployed AWS Lambda Function API.

AWS Lambda Function API¶

The deployed Lambda function exposes an internal API that is invoked by Amazon Connect contact flows. It allows the contact flow to perform Veridas voice and biometric operations. The Lambda function uses an action parameter to determine which operation to execute.

Invocation

Source: Amazon Connect Contact Flow
Trigger: Lambda block within the contact flow
Input: event['Details']['Parameters'] dictionary, which must include:
- action: string specifying the operation to perform (see below)
- Other parameters required by the action (see below)
Output: JSON dictionary with the action result or empty {} if no response is needed

Supported actions

Action	Parameters	Description	Output
`vss_create_session`	`net_speech_duration`	Creates a new VSS session for a call.	`{}`
`vss_read_session`	none	Reads the status of a VSS session.	`{ "status": <status>, "sample": <audio_file> }` if finished, otherwise `{ "status": <status> }`
`vss_create_stream`	none	Registers the Kinesis Video Stream for the current contact session with Veridas.	`{}`
`vcsp_read_account`	`subject_id`	Checks if a subject account exists in VCSP.	`{ "exists": true/false }`
`vcsp_delete_account`	`subject_id`	Deletes a subject account from VCSP.	`{}`
`vcsp_enroll`	`sample`, `subject_id`, `authenticity_threshold`	Enrolls a subject’s voice sample in VCSP.	`{"spoof": true/false}`
`vcsp_one_to_one_matching`	`sample`, `subject_id`, `authenticity_threshold`, `biometric_threshold`	Performs 1:1 voice matching against a subject.	`{ "match": true/false, "spoof": true/false }`

Notes

The Lambda function automatically sanitizes subject_id values to contain only alphanumeric characters, _ or -.
stream_id is automatically set to the current Amazon Connect ContactId.
Environment variables BASE_URL, APIKEY, and EXTERNAL_ID are required to connect to Veridas APIs.
Any unsupported action will raise an error.