User is not authorized to perform: lambda:GetLayerVersion

[mfrangakis]

As posted on Discord , I am getting an error while trying to deploy to the af-south-1 region.

clarity/ServerFunction/ServerFunction: Resource handler returned message: "User: arn:aws:sts::<acc_id>:assumed-role/cdk-hnb659fds-cfn-exec-role-857082827836-af-south-1/AWSCloudFormation is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:af-south-1:226609089145:layer:sst-extension-arm64:2 because no resource-based policy allows the lambda:GetLayerVersion action (Service: Lambda, Status Code: 403, Request ID: <req_id>)" (RequestToken: <req_id>, HandlerErrorCode: AccessDenied)

I have attempted the same in eu-west-1 without issue. Appears to be that the Lambda Layer managed by the SST team may not have a resource policy that allows other accounts to access it. See this issue on another project where the same issue was resolved.

If I create a lambda function from the console and attempt to add the above layer ARN, I get the same error:

In eu-west-1 though, this is not a problem.

[jayair]

Oh on Discord I missed that this is about the SST Lambda Layer.

Looking into it.

[mfrangakis]

After upgrading to SST version 2.39.6, running the deploy command appears not to utilize the SST Lambda layer any longer. The ServerFunction has no layers any more. Hence, deployment to af-south-1 now works without issue.

[fwang]

Hi @mfrangakis, this should be fixed now.

^ to add some context, af-south-1 along w/ a few other regions were not enabled by AWS by default. And the layers were not published to them.

All regions should now have the layers.