Syntax Properties Return values Examples

AWS::Lambda::LayerVersionPermission

The AWS::Lambda::LayerVersionPermission resource adds permissions to the resource-based policy of a version of an Lambda layer. Use this action to grant layer usage permission to other accounts. You can grant permission to a single account, all AWS accounts, or all accounts in an organization.

Important

Since the release of the UpdateReplacePolicy both UpdateReplacePolicy and DeletionPolicy are required to protect your Resources/LayerPermissions from deletion.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Lambda::LayerVersionPermission",
  "Properties" : {
      "Action" : String,
      "LayerVersionArn" : String,
      "OrganizationId" : String,
      "Principal" : String
    }
}

YAML


Type: AWS::Lambda::LayerVersionPermission
Properties:
  Action: String
  LayerVersionArn: String
  OrganizationId: String
  Principal: String

Properties

Action

The API action that grants access to the layer. For example, lambda:GetLayerVersion.

Required: Yes

Type: String

Pattern: lambda:GetLayerVersion

Minimum: 0

Maximum: 22

Update requires: Replacement

LayerVersionArn

The name or Amazon Resource Name (ARN) of the layer.

Required: Yes

Type: String

Pattern: (arn:[a-zA-Z0-9-]+:lambda:[a-zA-Z0-9-]+:\d{12}:layer:[a-zA-Z0-9-_]+)|[a-zA-Z0-9-_]+

Minimum: 1

Maximum: 140

Update requires: Replacement

OrganizationId

With the principal set to *, grant permission to all accounts in the specified organization.

Required: No

Type: String

Pattern: o-[a-z0-9]{10,32}

Minimum: 0

Maximum: 34

Update requires: Replacement

Principal

An account ID, or * to grant layer usage permission to all accounts in an organization, or all AWS accounts (if organizationId is not specified). For the last case, make sure that you really do want all AWS accounts to have usage permission to this layer.

Required: Yes

Type: String

Pattern: \d{12}|\*|arn:(aws[a-zA-Z-]*):iam::\d{12}:root

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the layer version ARN and statement ID, such as arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1#engineering-org.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Examples

Layer Version Permission

Grant layer use permission to accounts in organization o-t194hfs8cz.

JSON


"MyLayerPermission": {
    "Type": "AWS::Lambda::LayerVersionPermission",
    "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": "arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1",
        "OrganizationId": "o-t194hfs8cz",
        "Principal": "*"
    }
}

YAML


MyLayerPermission:
  Type: AWS::Lambda::LayerVersionPermission
  Properties:
    Action: lambda:GetLayerVersion
    LayerVersionArn: arn:aws:lambda:us-east-2:123456789012:layer:my-layer:1
    OrganizationId: o-t194hfs8cz
    Principal: *

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Content

AWS::Lambda::Permission