New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Permissions for LayerVersions #698

Open
keetonian opened this Issue Dec 3, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@keetonian
Copy link
Contributor

keetonian commented Dec 3, 2018

Background

The ability to share Layers will be integral to their use for any organization or group of teams, or even between individuals. Adding permissions to layer versions is a process that SAM could make easier than it would be in native CloudFormation. This design proposes a new Permissions field in the AWS::Serverless::LayerVersion resource that helps create AWS::Lambda::LayerVersionPermission objects for LayerVersions.

Syntax Proposal

Pros:

  • Reduce developer workload
  • provide a convenient way to grant access permissions to layers upon layer creation

Cons:

  • Could quickly contribute to filling the 200 resource limit in CFN stacks.
    • These permissions will be expanded to one resource per permission and, if included in the globals section, be multiplied by the number of layers in a single SAM template.
    • This could easily balloon, but nested transforms will make this easy to manage. Just stick your layers in another template and use the LayerArns as the outputs.
  • Does not provide an easier way to add or remove permissions from existing layer versions

Example Template

Input yaml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer.zip
      Permissions: # list of permissions objects
        -
          Principal: # string or list
            - arn:aws:iam::123123123123:user/James
            - arn:aws:iam::123456789012:user/Brett
          OrganizationId: o-eqqyngyzfx # string or list
          Action: lambda:GetLayerVersion # string or list
        -
          Principal: # string or list
            - arn:aws:iam::123456789012:user/Brett
          Action: lambda:ListLayerVersions # string or list

Output JSON:

{
  "Resources": {
    "MyLayerHash123": {
      "Type": "AWS::Lambda::LayerVersion",
      "DeletionPolicy": "Retain",
      "Properties": {
        "LayerName": "MyLayer",
        "Content": {
          "S3Bucket": "my-bucket",
          "S3Key": "my-layer.zip"
        },
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    },
    "MyLayerHash123Permission2": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123123123123:user/James"
      }
    },
    "MyLayerHash123Permission3": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "*",
        "OrganizationId": "o-eqqyngyzfx"
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:ListLayerVersions",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    }
  }
}

Permissions are also a field that can be used in the AWS::Serverless::LayerVersion Globals section, setting permissions for all of the layers in a SAM template. In this example, the users specified in the globals section would be granted permissions to all the layers in the template, resulting in 4 AWS::Lambda::LayerPermission resources (2 for each layer):

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Globals:
  LayerVersion:
    Permissions:
      -
        Principal:
          - arn:aws:iam::123456789012:user/Brett
          - arn:aws:iam::123123123123:user/James
        Action: lambda:GetLayerVersion
        # OrganizationId: 
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer
  MyOtherLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-other-layer

FAQ

  1. Should updating the Permissions property trigger an update to the LayerVersion (even if nothing else was updated), or just update permissions?
    • It will always trigger a new version: doing so will avoid deleting old LayerVersionPermission objects assigned to the current version of a layer and reduce complexity and developer confusion (any update == new version).
  2. Will SAM support managing permissions on older versions of a layer?
    • No. SAM will not explicitly support updating permissions on older versions of a layer. This would be best managed via the Lambda API or AWS CLI.
  3. Will SAM support managing permissions for a range of layer versions?
    • No. SAM will only manage permissions on the latest version of a layer

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment