Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessDeniedException when calling the ListLayerVersions operation #49

Open
tylercd100 opened this issue Jan 20, 2020 · 6 comments
Open

AccessDeniedException when calling the ListLayerVersions operation #49

tylercd100 opened this issue Jan 20, 2020 · 6 comments
Assignees
@philipp94831
Labels
bug Something isn't working

Comments

@tylercd100
Copy link

When trying to run:

aws lambda list-layer-versions --max-items 1 --no-paginate --layer-name arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0  --query 'LayerVersions[0].LayerVersionArn' --output text

I get this error

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: 
User: arn:aws:iam::273907563187:user/tyler is not authorized to perform: 
lambda:ListLayerVersions on resource: arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0

Did something change recently? I have been able to run this before without any issue.
@plukevdh
Copy link

Getting the same. Seems like the last publish might have messed with the image permissions?

@philipp94831
Copy link
Member

Hi, thanks for reporting. We are unsure why this happens, it seems that something on AWS side has changed as this project hasn't been touched for a while. We hope that we will come up with a solution soon! In the meantime, you can build the layer yourself so you don't need to rely on our provided layer.

@philipp94831 philipp94831 self-assigned this Jan 28, 2020
@philipp94831 philipp94831 added the bug Something isn't working label Jan 28, 2020
@johan13 johan13 mentioned this issue Jan 28, 2020
Closed
@philipp94831
Copy link
Member

Hi @plukevdh and @tylercd100 ,
we investigated the issue and it seems that the AWS API does not grant permissions for this command anymore for accounts outside our own AWS account. Therefore, we updated the README. To get an up-to-date list of the latest layer version in each region, please have a look at the Travis CI build log. For R 3.6.0, the latest version is usually
arn:aws:lambda:$region:131329294410:layer:r-runtime-3_6_0:13. Sorry for the troubles

@ed-sparkes
Copy link

Hi,

Just hit this issue, made worse by the fact that i am using serverless framework which seems to require the permission to use the layer at all.

Looking at the docs, it seems possible to make available for all AWS accounts though ...

https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountlayer

To grant permission to all AWS accounts, use * for the principal, and omit the organization ID. For multiple accounts or organizations, add multiple statements.

Might be worth looking into, longer term i think i should prob copy the layer into my own account but if you could look into the above it would be massively helpful in the short term.

Thanks, Ed

@philipp94831
Copy link
Member

Hi @ed-sparkes ,
you can still use our layer (see my comment or the README). You just can't list the versions and thus easily find out which is the latest one.

@ed-sparkes
Copy link

Unfortunately the way serverless.com implements layers it seems to need a call to list versions and i am using that as my framework for my serverless project

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philipp94831 philipp94831

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@plukevdh @ed-sparkes @philipp94831 @tylercd100