-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross Account AWS Lambda Layers #12728
Comments
Similar: @Arlington1985 Thanks for raising this. |
Yes, you are right, instead of resource "aws_lambda_function" "lambda_function" {
...
layers = ["arn:aws:lambda:region:123456789012:layer:layer_name:version"]
... Still I think it should work also with the with referencing from |
The corresponding data source uses the $ aws --region us-west-2 lambda list-layer-versions --layer-name arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37
An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: User: arn:aws:iam::123456789012:user/kit is not authorized to perform: lambda:ListLayerVersions on resource: arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37 |
With 3rd party libs, it might be a problem, but if I am using just my own cross-account layer, then I will have option to give any permission |
The related issue which brought me here was trying to use the Scipy layer across multiple regions, because it seems both the region and the account number change in the ARN. I haven't yet found a good alternative to hardcoding the ARNs for the regions we want to use. |
AWS lambda layers support "resource level policies": What is needed is similar to other resources that support attaching resource policies, such as ECR repository resource policies. Seems there is already an enhancement request for this: |
My understanding of this issue is the inability to use the following data block to retrieve the latest version of a lambda layer that is shared from a different account. This would be handy where codebase A deploys a layer to account A and codebase B needs to retrieve the latest version of the layer to use with a lambda function in account B without having to open account A to see what version to use. |
Community Note
Description
Currently, it's not possible to specify Lambda layers from a different AWS account. In cloud formation you can do it just with specifying arn of the layer. It might be with the exact version or without version. But as if now, AWS has no capability to refer cross-account lambda layers without specifying version.
New or Affected Resource(s)
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: