amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

Insufficient Permissions related to Lambda Layers

Open RoyalBis opened this issue 1 month ago • 2 comments

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v22.16.0

Amplify CLI Version

14.2.2

What operating system are you using?

Ubuntu

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

On an amplify push I receive the following error:

2025-11-14 13:54:43 UTC-0700 LambdaLayerPermissionPrivatedb63d180 DELETE_FAILED Likely root cause

Resource handler returned message: "Lambda:GetLayerVersionPolicy access denied" (RequestToken: 04a93e99-6623-7d45-486c-1aac117021c3, HandlerErrorCode: AccessDenied)

Expected behavior

Successful push

Reproduction steps

Uncertain how this issue was created.

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

Confirmed the missing permission on the generated Amplify Full-access Role with support: Here is the case number: Case ID 176315417000145

This is related to https://github.com/aws-amplify/amplify-cli/issues/10607

Before submitting, please confirm:

  • [x] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [x] I have removed any sensitive information from my code snippets and submission.

RoyalBis avatar Nov 17 '25 07:11 RoyalBis

Hi @RoyalBis,

The error indicates that when CloudFormation attempts to delete the LambdaLayerPermissionPrivate resource, it requires the lambda:GetLayerVersionPolicy permission to check the current state of the layer version policy. This permission appears to be missing from the Amplify deployment role.

Since you already have an active support case, please continue working through that support case for the best assistance with your immediate issue. The support team can help you apply the necessary workaround to unblock your deployment.

Meanwhile, we'll keep a close eye on this issue and investigate it on our end.

We welcome 👍 from the community if anyone has the same issue.

pahud avatar Nov 18 '25 18:11 pahud

Thank you, support helped me address the issue, I manually added this permission.

It would also be useful if the error message could be improved to display the role that did have the missing permission. As this would be very helpful debug information.

RoyalBis avatar Nov 18 '25 19:11 RoyalBis