Deploy Returns Error on Lambda Layer

rmtuckerphx · July 3, 2019, 12:39am

TLDR;

Getting an error deploying a lambda function to aws that includes a lambda layer with ARN.

$ sls deploy

Error:

An error occurred: ProcessAssetLambdaFunction - User: arn:aws:sts::111111111111:assumed-role/admin/aws-sdk-js-9999 is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:145266761615:layer:ffmpeg:4 (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 88888).

NOTE: guids and keys changed; ffmpeg layer ARN is real.

What user, group, role, resource needs access to lambda:GetLayerVersion?

Details

I have 2 accounts in an AWS Organization:

master (000000000000)
prod (111111111111)

Account - 000000000000 (master)

User (user1) has Access key ID (AAAA) and Secret access key (BBBB)
User (user1) belongs to Group (prod-admin)
Group (prod-admin) has policy (prod-admin-policy)
Policy (prod-admin-policy):

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::111111111111:role/admin"
  }
}

Account - 111111111111 (prod)

Role (admin) has Trust Relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Role (admin) has Permission policy (AdministratorAccess):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

AWS Config

credentials

[org-prod-admin]
role_arn=arn:aws:iam::111111111111:role/admin
source_profile=user1-profile

[user1-profile]
aws_access_key_id=AAAA
aws_secret_access_key=BBBB

config

[org-prod-admin]
region = us-east-1
output = json

[profile user1-profile]
region=us-east-1
output=json

serverless.yml

service: myservice
frameworkVersion: ">=1.44.1 <2.0.0"

custom:
  myStage: ${opt:stage, self:provider.stage}
  myProfile:
    prod: org-prod-admin
    dev: org-nonprod-admin

provider:
  name: aws
  runtime: nodejs10.x
  stage: prod
  region: us-east-1
  profile: ${self:custom.myProfile.${self:custom.myStage}}

functions:
  processAsset:
    handler: processAsset.handler
    description: Process asset
    reservedConcurrency: 5
    timeout: 20
    events:
      - sqs:
          arn: !GetAtt
            - processAssetQueue
            - Arn
          batchSize: 1
    layers:
      - arn:aws:lambda:us-east-1:145266761615:layer:ffmpeg:4

resources:
  Resources:
      # resources including processAssetQueue

balaji84 · July 26, 2022, 12:05pm

@rmtuckerphx I have facing the same problem, did you find a solution for it ?

Topic		Replies	Views
Serverless Error while trying to Deploy Lambda Functions with Layers Serverless Framework aws , lambda	1	2212	December 22, 2023
Can't load lambda function on the AWS using deploy comand Serverless Framework lambda , api-gateway	0	561	November 29, 2019
An error occurred: XX - The role defined for the function cannot be assumed by Lambda Serverless Framework	1	4130	September 24, 2017
Sls deploy failing "You're not authorized to access this resource." Serverless Framework aws , lambda	1	1432	January 15, 2021
IamRoleLambdaExecution error on deployment, with admin privileges over one region Serverless Framework aws , lambda , iam	0	924	January 6, 2021