Sharing Lambda Layers

i was recently reading the aws documentation on controlling layer access and thought it felt a bit fragmented that may be why you’re here too this post contains everything you need to know if want to share a layer with another account, an organization, or publicly i’ll also show you how to restrict which layers can be added to functions in your account what are lambda layers? feel free to skip this section if you’re already familiar with layers layers were announced at aws re\ invent in 2018 as a way of sharing a custom runtime, code, libraries, content, or dependencies they let you keep your deployment package small and promote reuse a layer is simply a zip archive containing the files you want to share you can add up to five layers to each function they must be in the same region as the function, and the total unzipped size of the function’s deployment package and its layers can’t exceed 250 mb layers are extracted and merged one by one into the /opt directory inside the function execution environment this directory is read only , but you can write up to 512 mb to /tmp, which i’ve written about previously sharing lambda layers creating or updating a layer creates a new layer version with a unique arn when you add a layer to a function, you’re actually adding a specific version to add a layer version, you need permission to call getlayerversion on it, which you’ll usually get from an iam policy when the layer is in another account, its resource based policy must allow your account to use it, which is what we’ll discuss next layer version resource based policies each policy contains zero or more permission statements that allow a principal to perform an action the principal can be a single account or all accounts when the principal is all accounts, you can optionally specify an organization as mentioned above, the action we care about is lambda\ getlayerversion adding statements permission statements can be added using the addlayerversionpermission operation of the api and cli you can also use a cloudformation aws lambda layerversionpermission resource currently, there’s no way to manage these policies via the aws console examples here are some cli examples for version 1 of a layer named myshareddeps specific account — allow usage from the 123456789012 account aws lambda add layer version permission \ layer name myshareddeps \ version number 1 \ statement id specificaccountexample \ principal 123456789012 \ action lambda\ getlayerversion any account — allow usage from any account aws lambda add layer version permission \ layer name myshareddeps \ version number 1 \ statement id allaccountsexample \ principal \ action lambda\ getlayerversion any account in an organization — allow usage from any account in theo 1234567890 organization aws lambda add layer version permission \ layer name myshareddeps \ version number 1 \ statement id allorganizationaccountsexample \ principal \ organization id o 1234567890 \ action lambda\ getlayerversion removing statements each statement is given a statement id that can be used to remove it with the removelayerversionpermission operation of the api and cli aws lambda remove layer version permission \ layer name myshareddeps \ version number 1 \ statement id specificaccountexample viewing an existing policy new layers don’t have a resource based policy until you add a permission statement after you do, you can view the policy using the command below aws lambda get layer version policy \ layer name myshareddeps \ version number 1 restricting usage you can restrict which layers can be added to your functions adding a condition element to any iam policy that allows creating or updating functions this can prevent usage of layers published by other accounts, or accounts you don’t own another option is to limit usage to an approved set of layers that have been audited or tested, etc let’s look at an example the policy below restricts usage to layers published by the 123456789012 account that have names starting with test you can find more information about condition elements in the documentation type monkey = { name string weight byte age byte } let eat monkey = updatedmonkey = { monkey with weight monkey weight + 0 1 } let rejuvenate monkey = updatedmonkey = { monkey with age monkey age 1 } { "version" "2012 10 17", "statement" \[ { "sid" "configurefunctions", "effect" "allow", "action" \[ "lambda\ createfunction", "lambda\ updatefunctionconfiguration" ], "resource" " ", "condition" { "forallvalues\ stringlike" { "lambda\ layer" \[ "arn\ aws\ lambda 123456789012\ layer\ test " ] } } } ] } do you use layers? recently, i published a post where i used a layer containing the net core debugger (remotely debugging net in aws lambda) following re\ invent, aws released the c++ lambda runtime which is intended to be packaged as a layer there is also a curated list of awesome layers on github i’d love to hear what other uses you’ve found for layers! content copied from https //medium com/devopslinks/sharing lambda layers and restricting your own usage f1413b974f44 https //medium com/devopslinks/sharing lambda layers and restricting your own usage f1413b974f44