AccessDeniedException when calling the ListLayerVersions operation

[tylercd100]

When trying to run:

aws lambda list-layer-versions --max-items 1 --no-paginate --layer-name arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0  --query 'LayerVersions[0].LayerVersionArn' --output text

I get this error

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: 
User: arn:aws:iam::273907563187:user/tyler is not authorized to perform: 
lambda:ListLayerVersions on resource: arn:aws:lambda:us-east-1:131329294410:layer:r-runtime-3_6_0

Did something change recently? I have been able to run this before without any issue.

[plukevdh]

Getting the same. Seems like the last publish might have messed with the image permissions?

[philipp94831]

Hi, thanks for reporting. We are unsure why this happens, it seems that something on AWS side has changed as this project hasn't been touched for a while. We hope that we will come up with a solution soon! In the meantime, you can build the layer yourself so you don't need to rely on our provided layer.

[philipp94831]

Hi @plukevdh and @tylercd100 , we investigated the issue and it seems that the AWS API does not grant permissions for this command anymore for accounts outside our own AWS account. Therefore, we updated the README. To get an up-to-date list of the latest layer version in each region, please have a look at the Travis CI build log. For R 3.6.0, the latest version is usually arn:aws:lambda:$region:131329294410:layer:r-runtime-3_6_0:13. Sorry for the troubles

[ed-sparkes]

Hi,

Just hit this issue, made worse by the fact that i am using serverless framework which seems to require the permission to use the layer at all.

Looking at the docs, it seems possible to make available for all AWS accounts though ...

https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountlayer

To grant permission to all AWS accounts, use * for the principal, and omit the organization ID. For multiple accounts or organizations, add multiple statements.

Might be worth looking into, longer term i think i should prob copy the layer into my own account but if you could look into the above it would be massively helpful in the short term.

Thanks, Ed

[philipp94831]

Hi @ed-sparkes , you can still use our layer (see my comment or the README). You just can't list the versions and thus easily find out which is the latest one.

[ed-sparkes]

Unfortunately the way serverless.com implements layers it seems to need a call to list versions and i am using that as my framework for my serverless project