AWS::Lambda::LayerVersionPermission
The AWS::Lambda::LayerVersionPermission
resource adds permissions to the resource-based policy of
a version of an Lambda
layer. Use this action to grant layer usage permission to other accounts. You can grant permission to a
single account, all AWS accounts, or all accounts in an organization.
Important
Since the release of the UpdateReplacePolicy both UpdateReplacePolicy
and DeletionPolicy
are required to protect your Resources/LayerPermissions from deletion.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Lambda::LayerVersionPermission", "Properties" : { "Action" :
String
, "LayerVersionArn" :String
, "OrganizationId" :String
, "Principal" :String
} }
YAML
Type: AWS::Lambda::LayerVersionPermission Properties: Action:
String
LayerVersionArn:String
OrganizationId:String
Principal:String
Properties
Action
-
The API action that grants access to the layer. For example,
lambda:GetLayerVersion
.Required: Yes
Type: String
Pattern:
lambda:GetLayerVersion
Maximum:
22
Update requires: Replacement
LayerVersionArn
-
The name or Amazon Resource Name (ARN) of the layer.
Required: Yes
Type: String
Pattern:
(arn:[a-zA-Z0-9-]+:lambda:[a-zA-Z0-9-]+:\d{12}:layer:[a-zA-Z0-9-_]+)|[a-zA-Z0-9-_]+
Minimum:
1
Maximum:
140
Update requires: Replacement
OrganizationId
-
With the principal set to
*
, grant permission to all accounts in the specified organization.Required: No
Type: String
Pattern:
o-[a-z0-9]{10,32}
Maximum:
34
Update requires: Replacement
Principal
-
An account ID, or
*
to grant layer usage permission to all accounts in an organization, or all AWS accounts (iforganizationId
is not specified). For the last case, make sure that you really do want all AWS accounts to have usage permission to this layer.Required: Yes
Type: String
Pattern:
\d{12}|\*|arn:(aws[a-zA-Z-]*):iam::\d{12}:root
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the layer version ARN and statement ID, such as
arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1#engineering-org
.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
Examples
Layer Version Permission
Grant layer use permission to accounts in organization o-t194hfs8cz
.
JSON
"MyLayerPermission": { "Type": "AWS::Lambda::LayerVersionPermission", "Properties": { "Action": "lambda:GetLayerVersion", "LayerVersionArn": "arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1", "OrganizationId": "o-t194hfs8cz", "Principal": "*" } }
YAML
MyLayerPermission: Type: AWS::Lambda::LayerVersionPermission Properties: Action: lambda:GetLayerVersion LayerVersionArn: arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1 OrganizationId: o-t194hfs8cz Principal: *