Home > database >  Does AWS Lambda get-layer-version not work for cross-accounts?
Does AWS Lambda get-layer-version not work for cross-accounts?

Time:12-04

I have an AWS Layer in aws account A and a Lambda function referencing that layer in account B. I create the layer from account A and permissioned account B to it using:

aws lambda add-layer-version-permission \
    --layer-name myLayer\
    --version-number <#> \
    --statement-id sharingWithAccountB \
    --principal <accountB-Id> \
    --action lambda:GetLayerVersion

I am able to get the lambda function in account B to access the layer in account A via AWS SAM using the Layers property in my sam template, which is ran asssuming a role in account B:

Layers:
  - arn:aws:lambda:us-east-1:<accountA-id>:layer:myLayer:<#>

However, when I try to run below from account B:

aws lambda get-layer-version --layer-name myLayer --version-number <#>

I get this error:

An error occurred (ResourceNotFoundException) when calling the GetLayerVersion operation: The resource you requested does not exist.

Question 1: If SAM is just a wrapper on AWS Lambda, shouldn't the cross-account layer access work for "aws lambda get-layer-version" as well?

Question 2: Does add-layer-version-permission only support lambda:GetLayerVersion action? When I run it for action lambda:ListLayerVersions, I get below error:

An error occurred (ValidationException) when calling the AddLayerVersionPermission operation: 2 validation errors detected: Value 'lambda:ListLayerVersions' at 'action' failed to satisfy constraint: Member must satisfy regular expression pattern: lambda:GetLayerVersion; Value 'lambda:ListLayerVersions' at 'action' failed to satisfy constraint: Member must have length less than or equal to 22

Reason I am trying to give this permission is because I am trying to run this aws lambda list-layer-versions --layer-name arn:aws:lambda:us-east-1:<accounta#>:layer:myLayer but getting this error

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: User: arn:aws:sts::accountB#:assumed-role/cloud-deployer/accountB-role is not authorized to perform: lambda:ListLayerVersions on resource: arn:aws:lambda:us-east-1:accountA#:layer:myLayer because no resource-based policy allows the lambda:ListLayerVersions action

CodePudding user response:

The layer name that you supply to get-layer-version can be either a layer name or a layer ARN. If you supply a simple name, such as mylayer, then nothing explicitly indicates which AWS account you want to query so the query runs against the AWS account associated with the credentials that you used, and that is account B, which has no such layer.

So, supply the full ARN of the layer with —-layer-name. The query will then run against account A and find the layer. Obviously you need cross-account permission for this, which you have.

  • Related