Access denied #1
Comments
|
I see now. I'm supposed to build and upload the layer myself. |
|
Well no, it should be available to all... not sure what's wrong :/
|
|
Did you grant permission to all accounts for v. 2? From the linked documentation: "To grant layer-usage permission to another account, add a statement to the layer version's permissions policy with the add-layer-version-permission command. In each statement, you can grant permission to a single account, all accounts, or an organization." |
|
supposedly that is what this line is supposed to do https://github.com/jetbridge/psycopg2-lambda-layer/blob/master/3.7/serverless.yml#L18 |
|
Getting a similar error when using it in a raw CloudFormation template. Pretty sure that it's caused by regional restrictions, as my stack is deployed to Where is you Serverless stack deployed to @bongbang? Edit: I've seen other layer providers that deploy theirs to pretty much all regions, would it be possible for you to do the same @revmischa? |
|
Mine is actually on `us-east-1`.
…On Wed, Mar 13, 2019 at 3:35 AM pinn3 ***@***.***> wrote:
Getting a similar error when using it in a raw CloudFormation template.
Pretty sure that it's caused by regional restrictions, as my stack is
deployed to eu-west-1, and the layer is located in us-east-1.
Where is you Serverless stack deployed to @bongbang
<https://github.com/bongbang>?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIH9EdKJneG9WFek5gjSzxUHuLBFD9sNks5vWNRhgaJpZM4a-Vcd>
.
--
Best,
Tom Vamvanij
|
|
Deployed this layer to my own account to confirm the permissions part. This way I could inspect the raw CloudFormation template that's generated by Serverless: {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "The AWS CloudFormation template for this Serverless application",
"Resources": {
"ServerlessDeploymentBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}
}
},
"Psycopg2LambdaLayer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"Content": {
"S3Bucket": { "Ref": "ServerlessDeploymentBucket" },
"S3Key": "serverless/psycopg2-lambda-layer/dev/XXXXXXXXXXXXX-2019-03-14T00:45:20.968Z/psycopg2.zip"
},
"LayerName": "psycopg2",
"CompatibleRuntimes": ["python3.7"]
}
},
"Psycopg2WildLambdaLayerPermission": {
"Type": "AWS::Lambda::LayerVersionPermission",
"Properties": {
"Action": "lambda:GetLayerVersion",
"LayerVersionArn": { "Ref": "Psycopg2LambdaLayer" },
"Principal": "*"
}
}
},
"Outputs": {
"ServerlessDeploymentBucketName": {
"Value": { "Ref": "ServerlessDeploymentBucket" }
},
"Psycopg2LambdaLayerQualifiedArn": {
"Description": "Current Lambda layer version",
"Value": { "Ref": "Psycopg2LambdaLayer" }
}
}
}What I was looking for was this part: "Psycopg2WildLambdaLayerPermission": {
"Type": "AWS::Lambda::LayerVersionPermission",
"Properties": {
"Action": "lambda:GetLayerVersion",
"LayerVersionArn": { "Ref": "Psycopg2LambdaLayer" },
"Principal": "*"
}
}Which confirms that, yes, This is all, of course, assuming that the deployed layer stack is up to date with this repository To further confirm that the permissions are correct, the owner of the layer could run the following command to view the current policy for it: aws lambda get-layer-version-policy --layer-name psycopg2 --version-number 2(see https://docs.aws.amazon.com/cli/latest/reference/lambda/get-layer-version-policy.html) |
|
Any updates on this permissions issue? I am trying to use this as a layer in my SAM template's definition and getting an AccessDenied exception as well. I am trying to include this layer in my SAM template (specifying the Arn) and I am always getting Access Denied - even as an Admin in my AWS account trying to add this Arn manually as a layer to an existing lambda. |
|
I am using |
|
Nope, still no workie for me. Like I said above, I went to an existing Lambda and attempted to add a new remote layer, specifying the above ARN, and got the access denied failure there too. Does it matter that the ARN above is specifying eu-central-1 and (I assume) jetbridges's AWS account? Are the proper cross-account access policies in place? Or has jetbridge basically made the Lambda Layer publicly readable? |
|
It should be publicly readable: Which I think means it is public? |
|
Well, I spent 4 hours on an AWS support chat yesterday where the first hour was going over this layer permissions issue and trying to figure out why my Lambda always got AccessDenied. Even the support tech was getting AccessDenied when he tried it on his end. We ended up just building our own layer using a combination of your repo here and jkehler's repo for psycopg2. Once we got our own layer created and deployed into our account, our Lambda was obviously able to pull it down and use it. I agree, all evidence above shows your layer should be public, but something's not letting the public access it from my world. |
This is the answer - it must be in the same region. I have deployed in us-east-1, ap-southeast-1, eu-central-1. Unfortunately the version numbers don't line up :( A script to deploy everywhere with the same version numbers would be nice |
|
I updated the README. Please open an issue if you need another region. Make sure to use the layer from your region or you will get that permission error. |
During deployment, this error occurs.
The text was updated successfully, but these errors were encountered: