Deploy Returns Error on Lambda Layer

TLDR;

Getting an error deploying a lambda function to aws that includes a lambda layer with ARN.

$ sls deploy

Error:

An error occurred: ProcessAssetLambdaFunction - User: arn:aws:sts::111111111111:assumed-role/admin/aws-sdk-js-9999 is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:145266761615:layer:ffmpeg:4 (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 88888).

NOTE: guids and keys changed; ffmpeg layer ARN is real.

What user, group, role, resource needs access to lambda:GetLayerVersion?

Details

I have 2 accounts in an AWS Organization:

  • master (000000000000)
  • prod (111111111111)

Account - 000000000000 (master)

  • User (user1) has Access key ID (AAAA) and Secret access key (BBBB)
  • User (user1) belongs to Group (prod-admin)
  • Group (prod-admin) has policy (prod-admin-policy)
  • Policy (prod-admin-policy):
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::111111111111:role/admin"
  }
}

Account - 111111111111 (prod)

  • Role (admin) has Trust Relationship:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
  • Role (admin) has Permission policy (AdministratorAccess):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

AWS Config

credentials

[org-prod-admin]
role_arn=arn:aws:iam::111111111111:role/admin
source_profile=user1-profile

[user1-profile]
aws_access_key_id=AAAA
aws_secret_access_key=BBBB

config

[org-prod-admin]
region = us-east-1
output = json

[profile user1-profile]
region=us-east-1
output=json

serverless.yml

service: myservice
frameworkVersion: ">=1.44.1 <2.0.0"

custom:
  myStage: ${opt:stage, self:provider.stage}
  myProfile:
    prod: org-prod-admin
    dev: org-nonprod-admin

provider:
  name: aws
  runtime: nodejs10.x
  stage: prod
  region: us-east-1
  profile: ${self:custom.myProfile.${self:custom.myStage}}

functions:
  processAsset:
    handler: processAsset.handler
    description: Process asset
    reservedConcurrency: 5
    timeout: 20
    events:
      - sqs:
          arn: !GetAtt
            - processAssetQueue
            - Arn
          batchSize: 1
    layers:
      - arn:aws:lambda:us-east-1:145266761615:layer:ffmpeg:4

resources:
  Resources:
      # resources including processAssetQueue