SAM cloudformation attach layer to lambda

From here

https://jun711.github.io/aws/attach-aws-lambda-layers-to-lambda-using-aws-sam-yaml-tutorial/

Key takeaways

Give your lambda permission to your layer to GetLayerVersion

Watch the layer version!

Also, Cloudformation needs permissions to deal with layers (second code block)

UserManagementFunction:
  Type: AWS::Serverless::Function
  Properties:
    Handler: index.handler
    Runtime: python3.8
    FunctionName: 'lambda-with-layer'
    Description: 'lambda with layer'
    CodeUri: ./
    Policies:
      - Statement:
        - Effect: "Allow" 
          Action: 
            - 'lambda:GetLayerVersion' 
          Resource: 
            - 'arn:aws:lambda:*:1234567890:layer:*:*'
    Layers:
      - arn:aws:lambda:us-east-2:1234567890:layer:layer1:16
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
          "lambda:GetLayerVersion",
          "lambda:DeleteLayerVersion",
          "lambda:ListLayerVersions",
          "lambda:ListLayers",
          "lambda:AddLayerVersionPermission",
          "lambda:RemoveLayerVersionPermission"
      ],
      "Resource": "*"
    }
  ]
}

So after some experimenting, from what I can tell a layer would not have any security by default

View at Medium.com

Also, my cloudformation policy already had “lambda:*” so it was able to create the layers as is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s