amplify-cli
amplify-cli copied to clipboard
Published
20 hours ago •
aws-amplify
aws-amplify
Unable to update Lambda Layer permissions
Before opening, please confirm:
- [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
- [X] I have searched for duplicate or closed issues.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
How did you install the Amplify CLI?
pnpm add -g @aws-amplify/cli
If applicable, what version of Node.js are you using?
v16.13.0
Amplify CLI Version
7.3.3
What operating system are you using?
Mac
Amplify Categories
function
Amplify Commands
update
Describe the bug
After upgrading the CLI to the latest version (7.3.3), I am unable to update lambda layer permissions from a layer created with a previous version of the CLI (6.3.1)
A few observation notes:
- layers created with latest version are able to be updated with latest version
- layers created with 6.3.1 are unable to be updated with 6.3.1
- layers created with 6.4.0 are unable to be updated with 6.4.0
Expected behavior
CLI should update the layer accordingly
Reproduction steps
- using Amplify CLI v6.3.1, create a lambda layer:
> amplify add function ⚠️ Amplify command hooks are disabled in the current execution environment. ⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information. ? Select which capability you want to add: Lambda layer (shared code & resource used across functions) ? Provide a name for your Lambda layer: layer2465d15f ? Choose the runtime that you want to use: NodeJS ? The current AWS account will always have access to this layer. Optionally, configure who else can access this layer. (Hit <Enter> to skip) Public ✅ Lambda layer folders & files created: amplify/backend/function/8525layerslayer2465d15f Next steps: Move your libraries to the following folder: [NodeJS]: amplify/backend/function/8525layerslayer2465d15f/lib/nodejs Include any files you want to share across runtimes in this folder: amplify/backend/function/8525layerslayer2465d15f/opt "amplify function update <function-name>" - configure a function with this Lambda layer "amplify push" - builds all of your local backend resources and provisions them in the cloud - Push new layer
amplify push -y - Upgrade to latest version of CLI
pnpm add -g @aws-amplify/cli@latest - Attempt to update lambda layer permissions
> amplify update function ⚠️ Amplify command hooks are disabled in the current execution environment. ⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information. ? Do you want to adjust layer version permissions? Yes ? Select the layer version to update: Future layer versions ? The current AWS account will always have access to this layer. Optionally, configure who else can access this layer. (Hit <Enter> to skip) Specific AWS accounts, Public ? Provide a list of comma-separated AWS account IDs: xxxxxxxx - Observe CLI exits with no clear indication of failed or successful update, running
amplify status -vshows no changes> amplify status -v ⚠️ Amplify command hooks are disabled in the current execution environment. ⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information. Current Environment: dev ┌──────────┬─────────────────────────┬───────────┬───────────────────┐ │ Category │ Resource name │ Operation │ Provider plugin │ ├──────────┼─────────────────────────┼───────────┼───────────────────┤ │ Function │ 8525layerslayer2465d15f │ No Change │ awscloudformation │ └──────────┴─────────────────────────┴───────────┴───────────────────┘
GraphQL schema(s)
# Put schemas below this line
Log output
# Put your logs below this line
Additional information
No response
Need more clarity on the problem :
- Option: "Future layer versions" is the default configuration, hence there is no visible change. This also means that config changes are applied to future lambda layers.
- Validated : Add Lambda Layer with 6.3.1 and update lambda layer permission for the existing layer with the latest (7.5.5) works as expected.
The feature functionality works fine. Tested the following flows:
- Create lambda layer, add 2 accounts ( aws1, aws2)
- Update lambda layer, replace the above 2 accounts with a third account ( aws3 ) . Push and validate in the layer-configs
- Update lambda layer and "un-select" the aws account option . (This removed the account- aws3 ) , and push . All flows worked fine.
UX issues :
- Remove "- Access permissions: Maintain existing permissions" prompt, when permissions for future revisions are only updated. This prompt is confusing , since it refers to the current layer instead of future layers.
- When "public" access is enabled on the lambda layer, disable addition and removal of aws accounts in the update walkthrough.
- amplify -status -v : Needs to be updated to query layer-configuration.json, since layers do not update cloudformation on every permission update.
- AWS Lambda console doesn't show any information for account permissions added for the lambda layers. This needs to be updated .
- amplify status should show the lambda layers and access accounts
Do note that this is the error yielded when such layer doesn't exist on that region. I.e:
An error occurred (AccessDeniedException) when calling the UpdateFunctionConfiguration operation: User: arn:aws:iam::***:user/{username} is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4 because no resource-based policy allows the lambda:GetLayerVersion action
Pay special attention to the fact that account_ids may differ for the same aws managed lambda layer from region to region.
