sam local invoke fails with AccessDeniedException when working with Layers #1736
Comments
|
Transferring to SAM CLI repo. |
|
Hello all |
|
any update on this case? |
|
any updates? I need to invoke a lambda running locally but it is connecting to an S3 bucket that is locked. I need to know how do I add permissions to the S3 bucket so that it lets my lambda running locally to read an S3 object? |
session = boto3.session.Session(profile_name=self._aws_profile, region_name=self._aws_region)
lambda_client = session.client('lambda')
layer_downloader = LayerDownloader(self._layer_cache_basedir, self.get_cwd(), lambda_client) |
|
I have "fixed" this issue by using Mappings but it will be way more elegant to solve this problem by either interpolating Also frustrating that SAM does not support passing the Lambda Layer ARN via a |
|
The problem is broader than just parameterizing Layers. There doesn't seem to be away to override the value of the pseudo parameter |
|
With the latest AWS SAM CLI (1.121.0). I can specify a layer in my template, e.g. AWS Lambda Powertools, and when being logged in and passing the right profile to SAM, it will download and use the layer accordingly. So it seems the original problem reported should be fixed. The only thing missing is a potential skip if it finds the layer locally already cached instead of throwing an error when the token has expired. |
Description:
When you use sam local invoke on a Lambda having layers, it fails with
Error: Credentials provided are missing lambda:Getlayerversion policy that is needed to download the layer or you do not have permission to download the layer
The --profile used to run the command had access lambda:* access but sam still fails with this error. Access is verified with aws commandline.
Steps to reproduce the issue:
Layers:
- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:XRayLayer:${XRayLayerVersion}"
sam local invoke -e .\test-data\test-sqs-event.json myservice --profile default --debug --region us-east-1
function invocation fails with
Error: Credentials provided are missing lambda:Getlayerversion policy that is needed to download the layer or you do not have permission to download the layer
3. Running the function in debug mode does not help, it does not reveal any additional details.
4. Running the function with start-lambda in debug mode and invoking the lambda with aws cli gives more insights, and there is a bug
sam local start-lambda --profile default --debug --region us-east-1
GetLayer call in the background is making call to a dummy account 123456789012 and not the actual account you are working with : log shows something like this
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetLayerVersion operation: User: arn:aws:sts::[account]:assumed-role/[Role]/user is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:123456789012:layer:XRayLayer:6 and that's the bug
it should be using the account from aws --profile
See attached log for both sam local start-lambda and local invoke giving details.
sam bugreport.txt
Observed result:
AccessDeniedException
Expected result:
sam is supposed to download the layer specified in the sam template.
Workaround:
if you hardcode the account in layer ARN in template, it downloads the layer and then subsequent runs.
The text was updated successfully, but these errors were encountered: