Alexa Smart Home Skill Adapter for Home Assistant

lambda_function.py

"""
Copyright 2019 Jason Hu <awaregit at gmail.com>

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
"""
import os
import json
import logging
import urllib3

_debug = bool(os.environ.get('DEBUG'))

_logger = logging.getLogger('HomeAssistant-SmartHome')
_logger.setLevel(logging.DEBUG if _debug else logging.INFO)


def lambda_handler(event, context):
    """Handle incoming Alexa directive."""
    
    _logger.debug('Event: %s', event)

    base_url = os.environ.get('BASE_URL')
    assert base_url is not None, 'Please set BASE_URL environment variable'
    base_url = base_url.strip("/")

    directive = event.get('directive')
    assert directive is not None, 'Malformatted request - missing directive'
    assert directive.get('header', {}).get('payloadVersion') == '3', \
        'Only support payloadVersion == 3'
    
    scope = directive.get('endpoint', {}).get('scope')
    if scope is None:
        # token is in grantee for Linking directive 
        scope = directive.get('payload', {}).get('grantee')
    if scope is None:
        # token is in payload for Discovery directive 
        scope = directive.get('payload', {}).get('scope')
    assert scope is not None, 'Malformatted request - missing endpoint.scope'
    assert scope.get('type') == 'BearerToken', 'Only support BearerToken'

    token = scope.get('token')
    if token is None and _debug:
        token = os.environ.get('LONG_LIVED_ACCESS_TOKEN')  # only for debug purpose
    
    verify_ssl = not bool(os.environ.get('NOT_VERIFY_SSL'))
    
    http = urllib3.PoolManager(
        cert_reqs='CERT_REQUIRED' if verify_ssl else 'CERT_NONE',
        timeout=urllib3.Timeout(connect=2.0, read=10.0)
    )
    
    response = http.request(
        'POST', 
        '{}/api/alexa/smart_home'.format(base_url),
        headers={
            'Authorization': 'Bearer {}'.format(token),
            'Content-Type': 'application/json',
        },
        body=json.dumps(event).encode('utf-8'),
    )
    if response.status >= 400:
        return {
            'event': {
                'payload': {
                    'type': 'INVALID_AUTHORIZATION_CREDENTIAL' 
                            if response.status in (401, 403) else 'INTERNAL_ERROR',
                    'message': response.data.decode("utf-8"),
                }
            }
        }
    _logger.debug('Response: %s', response.data.decode("utf-8"))
    return json.loads(response.data.decode('utf-8'))

Hi Guys, i have a little Problem. I have a DS-Lite Connection at home so i'm using AAAA Records to remote-Access my Home-Assistant via IPV6. But unfortunately this Code doesn't work for me for some reasons... I can normally access my HomeAssistant and i even get a "405" when entering https://YOUR-HA-URL:YOUR-PORT/api/alexa/smart_home , wherever i am. But why can't the Lambda function conntect to my HA... error message as follows:

I hope someone can help me... don't know what to do.. or is the Lambda Function just unable to do ipv6 connections? Thanks in advance!

Hi Guys, i have a little Problem. I have a DS-Lite Connection at home so i'm using AAAA Records to remote-Access my Home-Assistant via IPV6. But unfortunately this Code doesn't work for me for some reasons... I can normally access my HomeAssistant and i even get a "405" when entering https://YOUR-HA-URL:YOUR-PORT/api/alexa/smart_home , wherever i am. But why can't the Lambda function conntect to my HA... error message as follows:
I hope someone can help me... don't know what to do.. or is the Lambda Function just unable to do ipv6 connections? Thanks in advance!

Did you find any solution?

Hello

@GamingMaker
@mandarBadve

Did you find any solution?

@Sonorc The lamba will not hit your IP6 addresss. It will only resolve IP4 addresses. You can use CloudFlare (no cost) to get an IP4 address (on a CloudFlare server) that you then tunnel into your IP6 host.

I finally got the Alexa account to link by:

1. setup a cloudflare tunnel (gives me the public IP4 addr) that
2. tunnels to a CNAME entry maintained by DDNS (Synology's built-in service supports IP6)
3. CNAME IP resolves to my NAS IP directly (router forwards port 443 is to NAS)
4. A reverse proxy (Synology Login Portal) translates the incoming address (https://my-cloudflare-domain:443) to http://localhost:8123/.

@stalsma thanks.

Hi everyone,

I´ve tried to follow this guide carefully, but it does not work for me even though I got everything connected. Testing the lambda function with the access token seems to work, but it returns an empty list of endpoints:

{
  "event": {
    "header": {
      "namespace": "Alexa.Discovery",
      "name": "Discover.Response",
      "messageId": "7be269dc-01b6-4eb8-9184-313063f33557",
      "payloadVersion": "3"
    },
    "payload": {
      "endpoints": []
    }
  }
}

My home assistant lists a few sensors when checking https://{home_assistant_url}/config/voice-assistants/expose and these sensors are visible at the Dashboard and appear online. But still, the list of endpoints is empty, so Alexa is anable to add any devices.

I added this (no filtering) into my configuration.yaml:

`alexa:
  smart_home:`

I am quite new to home assistant so this might be a simple configuration mistake by myself.

I am using Home Assistant Supervised version 2024.11.2 running on Ubuntu 24.04 Server

@Pandafuchs
The script itself is IPv6 compatible it's the lambda function that needs to be IPv6 compatible. I managed to do it with a VPC that has IPv4 and IPv6 subnets and can connect to the internet via routing and gateway (VPC specific).
Only thing still not working for me is the account linking process.

@pascal260303, I am also facing issues regarding the account linking... I have tried various combinations of AWS locations, skill languages, client ids, etc. and also moved away from cloudflare proxies. I can see that the Discovery example is working fine, but during the linking process I get a blank page with the URL being external/link-result?success=false. Would love to know how to debug this

Edit: Just updated the Alexa app. However, instead of a blank page I get "Alexa couldn't find a new device to connect."

With my setup, which has a public static IP address, Nginx add-on, Let's Encrypt ( NO Cloudflare), the integration works only with port 443.

Fortunately, there is another solution that works with a custom SSL port.
https://indomus.it/guide/integrare-gratuitamente-amazon-echo-alexa-con-home-assistant-via-haaska-e-aws/

Personally speaking, I did this way years ago, and it worked until I decided to try the new way according to the official documentation, and I ended up losing some days.

Official documentation should underline that only 443 port MUST be used.

I hope this helps others.

You shouldn't have to open port 443 if you have an external domain already setup for HA, what you probably missed is turning off bot mitigation within cloudflare (assuming that's what you use for remote access) - that breaks this alexa skill if bot mitigation is turned on.

…

On Fri, Mar 28, 2025 at 3:45 PM mfaugiana ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ About the account linking failure, I made it work using port 443; using a different port doesn't work. Once linked, I did change the port in the Lambda function and HA — Reply to this email directly, view it on GitHub <https://gist.github.com/matt2005/744b5ef548cc13d88d0569eea65f5e5b#gistcomment-5517378> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQS7PPN4OX67SOXUJ5DSFVD2WW7INBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TOMBTGAYDAMVHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

every 4 days I have these log messages with Amazon IPs and I don't know exactly if it's related to that script, but everything it's working fine. I also use the Ireland endpoint for European accounts, I have a geoip blocker for non Ireland ips and these ones seems from USA, I don't know how to figure out if it's comming from AWS, alexa developer console or also can be related to Alexa Media Player which is not related to that but I don't expect.

[homeassistant] 2025-03-31 08:01:44.685 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 72.21.217.139 (72.21.217.139). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-27 06:35:33.106 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 72.21.217.98 (72.21.217.98). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-23 10:56:06.647 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 54.239.98.30 (54.239.98.30). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-19 12:47:52.931 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 72.21.217.18 (72.21.217.18). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-15 11:33:52.312 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 72.21.217.143 (72.21.217.143). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-11 12:38:33.360 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 54.239.98.38 (54.239.98.38). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))
	
[homeassistant] 2025-03-07 18:31:23.417 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 72.21.217.46 (72.21.217.46). Requested URL: '/auth/token'. (Apache-HttpClient/UNAVAILABLE (Java/1.8.0_432))