Granting Lambda layer access to other accounts
To share a layer with another AWS account, add a cross-account permissions statement to the layer's resource-based policy. Run the add-layer-version-permissionprincipal. In each statement, you can grant permission to a
single account, all accounts, or an organization in AWS Organizations.
The following example grants account 111122223333 access to version 2 of the bash-runtime layer.
aws lambda add-layer-version-permission \ --layer-name bash-runtime \ --version-number 2 \ --statement-id xaccount \ --action lambda:GetLayerVersion \ --principal 111122223333 \ --output text
You should see output similar to the following:
{"Sid":"xaccount","Effect":"Allow","Principal":{"AWS":"arn:aws-eusc:iam::111122223333:root"},"Action":"lambda:GetLayerVersion","Resource":"arn:aws-eusc:lambda:eusc-de-east-1:123456789012:layer:bash-runtime:2"}
Permissions apply only to a single layer version. Repeat the process each time that you create a new layer version.
To grant permission to all accounts in an AWS Organizations organization, use the organization-id option. The
following example grants all accounts in organization o-t194hfs8cz permission to use version 3 of my-layer.
aws lambda add-layer-version-permission \ --layer-name my-layer \ --version-number 3 \ --statement-id engineering-org \ --principal '*' \ --action lambda:GetLayerVersion \ --organization-id o-t194hfs8cz \ --output text
You should see the following output:
{"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws-eusc:lambda:eusc-de-east-1:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"
To grant permission to multiple accounts or organizations, you must add multiple statements.