aws-lambda-r-runtime icon indicating copy to clipboard operation
aws-lambda-r-runtime copied to clipboard

Published 20 hours ago verified publisher icon bakdata

AccessDeniedException when calling the ListLayerVersions operation

Open tylercd100 opened this issue 5 years ago • 6 comments

When trying to run:

aws lambda list-layer-versions --max-items 1 --no-paginate --layer-name arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0  --query 'LayerVersions[0].LayerVersionArn' --output text

I get this error

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: 
User: arn:aws:iam::273907563187:user/tyler is not authorized to perform: 
lambda:ListLayerVersions on resource: arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0

Did something change recently? I have been able to run this before without any issue.

tylercd100 avatar Jan 20 '20 19:01 tylercd100

Getting the same. Seems like the last publish might have messed with the image permissions?

plukevdh avatar Jan 27 '20 23:01 plukevdh

Hi, thanks for reporting. We are unsure why this happens, it seems that something on AWS side has changed as this project hasn't been touched for a while. We hope that we will come up with a solution soon! In the meantime, you can build the layer yourself so you don't need to rely on our provided layer.

philipp94831 avatar Jan 28 '20 05:01 philipp94831

Hi @plukevdh and @tylercd100 , we investigated the issue and it seems that the AWS API does not grant permissions for this command anymore for accounts outside our own AWS account. Therefore, we updated the README. To get an up-to-date list of the latest layer version in each region, please have a look at the Travis CI build log. For R 3.6.0, the latest version is usually arn:aws:lambda:$region:131329294410:layer:r-runtime-3_6_0:13. Sorry for the troubles

philipp94831 avatar Jan 30 '20 07:01 philipp94831

Hi,

Just hit this issue, made worse by the fact that i am using serverless framework which seems to require the permission to use the layer at all.

Looking at the docs, it seems possible to make available for all AWS accounts though ...

https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountlayer

To grant permission to all AWS accounts, use * for the principal, and omit the organization ID. For multiple accounts or organizations, add multiple statements.

Might be worth looking into, longer term i think i should prob copy the layer into my own account but if you could look into the above it would be massively helpful in the short term.

Thanks, Ed

ed-sparkes avatar Feb 11 '20 17:02 ed-sparkes

Hi @ed-sparkes , you can still use our layer (see my comment or the README). You just can't list the versions and thus easily find out which is the latest one.

philipp94831 avatar Feb 11 '20 18:02 philipp94831

Unfortunately the way serverless.com implements layers it seems to need a call to list versions and i am using that as my framework for my serverless project

ed-sparkes avatar Feb 12 '20 13:02 ed-sparkes