RFC: Permissions for LayerVersions

[keetonian]

Background

The ability to share Layers will be integral to their use for any organization or group of teams, or even between individuals. Adding permissions to layer versions is a process that SAM could make easier than it would be in native CloudFormation. This design proposes a new Permissions field in the AWS::Serverless::LayerVersion resource that helps create AWS::Lambda::LayerVersionPermission objects for LayerVersions.

Syntax Proposal

Pros:

• Reduce developer workload
• provide a convenient way to grant access permissions to layers upon layer creation

Cons:

• Could quickly contribute to filling the 200 resource limit in CFN stacks.
  • These permissions will be expanded to one resource per permission and, if included in the globals section, be multiplied by the number of layers in a single SAM template.
  • This could easily balloon, but nested transforms will make this easy to manage. Just stick your layers in another template and use the LayerArns as the outputs.
• Does not provide an easier way to add or remove permissions from existing layer versions

Example Template

Input yaml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer.zip
      Permissions: # list of permissions objects
        -
          Principal: # string or list
            - arn:aws:iam::123123123123:user/James
            - arn:aws:iam::123456789012:user/Brett
          OrganizationId: o-eqqyngyzfx # string or list
          Action: lambda:GetLayerVersion # string or list
        -
          Principal: # string or list
            - arn:aws:iam::123456789012:user/Brett
          Action: lambda:ListLayerVersions # string or list

Output JSON:

{
  "Resources": {
    "MyLayerHash123": {
      "Type": "AWS::Lambda::LayerVersion",
      "DeletionPolicy": "Retain",
      "Properties": {
        "LayerName": "MyLayer",
        "Content": {
          "S3Bucket": "my-bucket",
          "S3Key": "my-layer.zip"
        },
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    },
    "MyLayerHash123Permission2": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123123123123:user/James"
      }
    },
    "MyLayerHash123Permission3": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "*",
        "OrganizationId": "o-eqqyngyzfx"
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:ListLayerVersions",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    }
  }
}

Permissions are also a field that can be used in the AWS::Serverless::LayerVersion Globals section, setting permissions for all of the layers in a SAM template. In this example, the users specified in the globals section would be granted permissions to all the layers in the template, resulting in 4 AWS::Lambda::LayerPermission resources (2 for each layer):

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Globals:
  LayerVersion:
    Permissions:
      -
        Principal:
          - arn:aws:iam::123456789012:user/Brett
          - arn:aws:iam::123123123123:user/James
        Action: lambda:GetLayerVersion
        # OrganizationId: 
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer
  MyOtherLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-other-layer

FAQ

1. Should updating the Permissions property trigger an update to the LayerVersion (even if nothing else was updated), or just update permissions?
   • It will always trigger a new version: doing so will avoid deleting old LayerVersionPermission objects assigned to the current version of a layer and reduce complexity and developer confusion (any update == new version).
2. Will SAM support managing permissions on older versions of a layer?
   • No. SAM will not explicitly support updating permissions on older versions of a layer. This would be best managed via the Lambda API or AWS CLI.
3. Will SAM support managing permissions for a range of layer versions?
   • No. SAM will only manage permissions on the latest version of a layer

Links

• AWS::Lambda::LayerVersionPermission Docs
• AWS::Lambda::LayerVersion Docs

[chizou]

This looks good to me. When is this feature expected to be released?