Automate Candidate's Certificate Generation

This is a follow up from the Secure Signed Image guide on using signed image as building block for certificate.

In this guide, we will explore one of the techniques to automate the generation of signed URL.


You will need,

  1. AWS account to access AWS Lambda

  2. Airtable account

  3. Integromat account

  4. A working template to generate secure signed image. Please check the previous guide linked above.

To be pedantic, this part involves a very small amount of code. So, maybe it's low-code rather than no-code. Either way, it is pretty straight forward to follow.


Deploying AWS Lambda Function

This is the part where very small amount of code is involved. So we will do this first.

Creating Lambda Function

  1. Create a new lambda function named secure_signed_image.

  2. Paste the following modified code. In this example, the modification is similar to what we had from the previous tutorial. It is modified to work with AWS lambda function.

import json
import hmac
import hashlib
import base64

def base64_encode(string):
    Removes any `=` used as padding from the encoded string.
    encoded = base64.b64encode(string.encode())
    encoded = encoded.rstrip(b'=')
    return encoded

def generate_url(candidate):
  user_id = ""
  secret_key = ""
  base_id = ""

  modifications = [
    { "name": "text_candidate", "text": candidate }

  # ensure no spaces in json output
  encoded = json.dumps(modifications, separators=(',', ':'))
  encoded = base64_encode(encoded).decode()

  parameters = "{user_id}+{base_id}+{modifications}".format(user_id=user_id, base_id=base_id, modifications=encoded)

  signature =, parameters.encode(), hashlib.sha256).hexdigest()

  url = "{user_id}/{base_id}.png?modifications={modifications}&s={signature}".format(
  return url

def lambda_handler(event, context):
    # we read the name from the query string
    # i.e.
    candidate = event["queryStringParameters"]["name"]
    url = generate_url(candidate)
    resp = {
        "url": url
    return {
        'statusCode': 200,
        'body': json.dumps(resp)

Creating HTTP trigger

We need to set up HTTP trigger so we can call the URL publicly and execute our lambda function. One additional step we need to take care of is to ensure our trigger is proxied to our lambda so we can capture the query string properly.

Video Guide

The following video shows the setup one-by-one.

Setting up Airtable for automation

We will get our candidates' name from table in Airtable. Airtable needs to be set in certain ways to allow for Integromat automation.

For this example, we create 3 columns in which 2 columns are text and the last column (Last Modified) is a special Airtable column that tracks the last modified time. For this particular column, we only set the last modified time when the Name column is updated.

See the video for the process

Automate image generation with Airtable and Integromat

Now that we have launched our function to AWS Lambda and Airtable ready for integration, we can call the lambda function anytime to get back the signed URL.

The workflow basically works like this,

  1. Airtable module watches for record update (this is why we need the Last Modified column)

  2. Get the value from the Name column and send a GET request to our lambda function with the name as a query string parameter. We also URL encode it.

  3. Once we get back the URL, we update the related record with the generated signed URL.

You can work on similar integration with Google Sheet.

Last updated