https://serverless-stack.com/ logo
Join Slack
Powered by
anyone know if it’s possible in CDK to reference a...
# help
s
anyone know if it’s possible in CDK to reference a Lambda layer that’s already deployed (outside of the infra code).. especially one in another AWS account
alternatively, I could instantiate a 
lambda.LayerVersion
in my CDK code, but I’d need to reference a zip on S3 in another AWS account
g
In my .env file:
Copy code
LAMBDA_LAYER_ARN=arn:aws:lambda:us-east-1:XXXXX:layer:XXXX:33
Then in your stack:
Copy code
const myLambdaLayer = lambda.LayerVersion.fromLayerVersionArn(this,
      'myLayer', <string>process.env.LAMBDA_LAYER_ARN);
Then in your Lambda definition
Copy code
return new sst.Api(this, 'Api', {
      defaultFunctionProps: {
        layers: [myLambdaLayer]
s
and your Lambda layer is in a different AWS account? how does it have permissions to access that?
a
s
sure, I know how to create a Lambda layer. but I wanted to reference an existing one in a different AWS account
a
s
oh geez. sorry. the doc page is messed up.. the ‘#’ anchors didn’t work
a
weird, works for me.
s
heh. AWS support, which I pay $100/mo for, tried to tell me it’s not possible
then I tell him your solution and he says “lemme check”. man..
a
Haha! Hire me lol. 😂
s
for real
Ashishkumar to the rescue, as usual 😄
a
Always a pleasure. 😁🙏
s
moving the conversation here 😉 but how can my stack in Account B have the ARN of a layer that already exists in Account A?
a
Are both accounts in the same org?
s
yep
the AWS support person said to make a new LayerVersionPermission with account ID 
'*'
and organizationID with my organization ID (obviously)
then he said pass that permission to 
addPermission('ARN of layer in Account A', layerVersionPermission)
a
It’s basically adding a IAM policy that sets principal to all users in your org. IAM voodoo.
s
so once I add the permission by passing the layer version permission that has the org ID and “*” for all accounts, it’ll just work?
a
I don’t think that would work. The 
addPermission
works on the source layer and account and not on the target. Once you create the layer and add the permission everything from the source side should be done. On the target side you’d use 
LayerVersion.fromLayerVersionArn
or 
LayerVersion.fromLayerVersionAttributes
to refer it.
s
so maybe all I need is an IAM role on the primary account w/ the layer, granting the account the ability to access the layer ?
a
the addPermission will do that, I don’t think you need to do anything manually.
s
but the sub account surely can’t just call 
addPermission
to gain access to the primary account’s layers.. ? that would be a security flaw 😄
I suppose I should just try it! one sec
a
The sub account won’t call the addPermission, the owner account would. The sub account uses the static methods to refer.
s
ohh I gotcha.. when the primary account does 
yarn deploy
, it’ll add that permission
a
you do have a cdk / sst stack in the owner account, right?
s
nope, that’s why I was confused 😄 haha. I’m testing SST in a test sub account right now
a
oh, okay, then you’ll have to create a IAM policy to share the layer manually and then refer it from the sub account.
s
yeah.. ok. I’ll try that in a minute
a
this is the permission that your sub account needs - lambda:GetLayerVersion
so the IAM policy to attach to the user would be something like this:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "lambda:GetLayerVersion",
      "Resource": "arn:aws:lambda:ap-south-1:xxx:layer:test:test",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "subaccount"
        }
      }
    }
  ]
}
s
I added this role + policy to the main account, didn’t work
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "lambda:GetLayerVersion",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "o-xxx"
        }
      }
    }
  ]
}
a
you’ll have to add PrincipalAccountId * as well.
s
really? I thought this policy above would allow any account in the organization access
I’ll add that though too
a
It’s a combination as far as I understand, I haven’t tried this within the same org yet.
That feels like 
sudo
though. 😅
s
any sub accounts are ones I’ve set up for devs 🙂 no biggie if they can access the Lambda layers
ok, trying this:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "lambda:GetLayerVersion",
      "Resource": "arn:aws:lambda:*:808557273244:layer:*:*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "*",
          "aws:PrincipalOrgID": "o-34kxmykfnr"
        }
      }
    }
  ]
}
it seems like it wouldn’t work. doesn’t the sub account have to assume the role?
a
no, it wouldn’t have to. The layer resource will match the condition for the subaccount.
s
didn’t work 😕
a
Any errors that you see?
s
same: 
Resource handler returned message: "User: arn:aws:iam::<sub_account>:user/sammy is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:<main_account>:layer:audio-tools:4
a
do one thing, use PrincipalArn and give it the subaccount’s Arn and remove the PrincipalOrgID
s
sure thing
this way?
Copy code
"Principal": {
        "AWS": "arn:aws:iam::<sub_account>:root"
      },
oh nope, can’t use Principal here
hang on..
maybe that’s nothing. never mind
a
something like this:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "lambda:GetLayerVersion",
      "Resource": "arn:aws:lambda:ap-south-1:xxx:layer:test:test",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::xxx:user/ashish"
        }
      }
    }
  ]
}
s
ok, so using that.. this is the first time I’ve seen this show anything on the summary
the other times, it had nothing there
a
okay, nice!
try it.
s
I’ll have to ask AWS support how to grant to the whole organization
a
let me think.
s
ah, it didn’t work 😞
same error
a
is the console user and the sst user the same or do you have other profiles too?
s
er wait. lemme try my username vs 
:root
for the IAM user
:root
is for STS & trusted accounts I believe
a
you can’t give access to root from an IAM account.
root is not an IAM user.
s
right. well, I mean for STS (trust relationships), you do use that. e.g.:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<sub_account>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
nope, using a specific user didn’t work either. argh
a
same error again?
s
yep
a
change the condition to this for my old policy above:
Copy code
"Condition": {
    "StringEquals": {
        "aws:PrincipalType": "User"
     }
}
s
there’s no reference to org ID there though
a
that should be fine.
s
so the policy is saying any user can do 
lambda:GetLayerVersion
. ?
a
yep.
s
regardless of organization.. ? so if you had the ARN for my layer, you could access it 😄
didn’t work. gonna try one more thing, then I’m gonna go to bed
a
your accounts and org have no idea of other orgs so it shouldn’t be an issue.
I found this, seems promising:
Copy code
aws lambda add-layer-version-permission --layer-name my-layer \
--statement-id engineering-org --version-number 3 --principal '*' \
--action lambda:GetLayerVersion --organization-id o-t194hfs8cz --output text
s
interesting! I wonder what it does and where it stores that permission
a
try it go to IAM console and into permissions and sort by last created.
s
ok the CLI commad worked. where do I go in the console to see this?
I don’t see any new roles or policies
holy crap, it worked! CDK was able to deploy a Lambda func using that layer
a
it would be under your org permissions probably since we gave it an org id. Great, good exercise lol! 😂
s
here are the relevant docs! I wouldn’t have known to look for this. https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html#configuration-layers-permissions
a
yep, that’s where I got the command from.
s
I dont’ see the permissions anywhere in the console. super weird. maybe they aren’t accessible there. but you can’t even use the CLI to list the permissions either
I’l have to ask support about that tomorrow
a
use 
get-layer-version-policy
s
aha
excellent. thank you once again!
a
of course.
I’m pretty sure a policy was created.
s
I hope I can return the favor someday 🙏
a
Your questions are already helping me, a good question is its own reward.
s
😁 goodnight!
j
@Ashishkumar Pandey Wow, thanks for being so awesome!
a
Thank you, @Jay 😁🙏
Open in Slack
PreviousNext
Powered by