chrome-aws-lambda:45 because no resource-based policy allows the lambda:GetLayerVersion action

[omizha]

Version

5.39.6

Operating System

MacOS Sonoma 14.4.1

Browser

Chrome

What are the steps to reproduce this bug?

Following the instructions on the Webiny documentation here, I attempted to deploy using yarn webiny deploy in the ap-northeast-2 region.

What is the expected behavior?

The deployment should complete successfully without errors.

What do you see instead?

The deployment fails during the website project application deployment phase. The following error is encountered:

error: 1 error occurred:
* creating Lambda Function (wby-ps-render-lambda-671d311): operation error Lambda: CreateFunction, https response error StatusCode: 403, RequestID: 843654d9-0542-4e87-a27b-9f26496ffefa, api error AccessDeniedException: User: arn:aws:iam::058264267608:user/webiny-cli is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:ap-northeast-2:764866452798:layer:chrome-aws-lambda:45 because no resource-based policy allows the lambda:GetLayerVersion action

A more detailed log can be found below:

❯ yarn webiny deploy
webiny info: Deploying Core project application...
webiny info: Running "hook-before-build" hook...
webiny success: Hook "hook-before-build" completed.
webiny info: No packages to build...
webiny info: Running "hook-after-build" hook...
webiny success: Hook "hook-after-build" completed.

webiny info: Running "hook-before-deploy" hook...
webiny info: Using profile default in ap-northeast-2 region.
webiny success: Hook "hook-before-deploy" completed.

webiny info: Deploying...

Updating (dev):

@ updating....
    pulumi:pulumi:Stack core-dev running
@ updating.....
    aws:cloudwatch:EventBus wby-event-bus
    aws:s3:Bucket wby-fm-bucket
    aws:dynamodb:Table wby-webiny
    aws:cognito:UserPool wby-user-pool
    aws:s3:BucketPublicAccessBlock wby-fm-bucket-block-public-access
    aws:cognito:UserPoolClient wby-user-pool-client
    pulumi:pulumi:Stack core-dev
Outputs:
    cognitoAppClientId           : "2oe7p328do5879j4tm132fdn0u"
    cognitoUserPoolArn           : "arn:aws:cognito-idp:ap-northeast-2:058264267608:userpool/ap-northeast-2_U5b4CGU4X"
    cognitoUserPoolId            : "ap-northeast-2_U5b4CGU4X"
    cognitoUserPoolPasswordPolicy: {
        minimumLength                : 8
        requireLowercase             : false
        requireNumbers               : false
        requireSymbols               : false
        requireUppercase             : false
        temporaryPasswordValidityDays: 7
    }
    eventBusArn                  : "arn:aws:events:ap-northeast-2:058264267608:event-bus/wby-event-bus-847d7c3"
    eventBusName                 : "wby-event-bus-847d7c3"
    fileManagerBucketId          : "wby-fm-bucket-39ec0c1"
    primaryDynamodbTableArn      : "arn:aws:dynamodb:ap-northeast-2:058264267608:table/wby-webiny-73f9e3f"
    primaryDynamodbTableHashKey  : "PK"
    primaryDynamodbTableName     : "wby-webiny-73f9e3f"
    primaryDynamodbTableRangeKey : "SK"
    region                       : "ap-northeast-2"

Resources:
    7 unchanged

Duration: 4s

webiny success: Done! Deploy finished in 5.319s.

webiny info: Running "hook-after-deploy" hook...
webiny success: Hook "hook-after-deploy" completed.
webiny success: Core project application was deployed successfully!

webiny info: Deploying API project application...
webiny info: Running "hook-before-build" hook...
webiny success: Hook "hook-before-build" completed.
webiny info: Building api-graphql package...

Compiling graphql...
Compiled successfully in 33.578s.

webiny success: Successfully built api-graphql in 34.431s.
webiny info: Running "hook-after-build" hook...
webiny success: Hook "hook-after-build" completed.

webiny info: Running "hook-before-deploy" hook...
webiny info: Using profile default in ap-northeast-2 region.
webiny success: Hook "hook-before-deploy" completed.

webiny info: Deploying...

Updating (dev):

    pulumi:pulumi:Stack api-dev running
@ updating.........
 ~  aws:s3:BucketObject ./pbInstallation.zip updating (0s) [diff: ~source]
    aws:iam:Role wby-pb-export-lambda-role
    aws:iam:Policy wby-PbExportTaskLambdaPolicy
    aws:iam:RolePolicyAttachment wby-pb-export-lambda-role-default-execution-role
    aws:iam:RolePolicyAttachment wby-pb-export-lambda-role-policy
    aws:iam:Policy wby-ApwSchedulerExecuteActionLambdaPolicy
    aws:iam:Policy wby-ImportLambdaPolicy
    aws:cloudwatch:EventRule wby-apw-scheduler-event-rule
    aws:iam:Role wby-apw-scheduler-execute-action-lambda-role
    aws:iam:Role wby-pb-import-lambda-role
    aws:iam:Role wby-apw-scheduler-schedule-action-lambda-role
    aws:iam:Policy wby-ApwSchedulerScheduleActionLambdaPolicy
    aws:iam:RolePolicyAttachment wby-apw-scheduler-execute-action-lambda-AWSLambdaBasicExecutionRole
    aws:iam:RolePolicyAttachment wby-apw-scheduler-execute-action-lambda-role-policy-attachment
    aws:iam:RolePolicyAttachment wby-apw-scheduler-schedule-action-lambda-AWSLambdaBasicExecutionRole
    aws:iam:RolePolicyAttachment wby-apw-scheduler-schedule-action-lambda-role-policy-attachment
    aws:iam:RolePolicyAttachment wby-pb-import-lambda-role-default-execution-role
    aws:iam:Role wby-api-lambda-role
    aws:iam:Policy wby-ApiGraphqlLambdaPolicy
    aws:iam:RolePolicyAttachment wby-pb-import-lambda-role-policy
    aws:iam:RolePolicyAttachment wby-api-lambda-role-default-execution-role
    aws:iam:RolePolicyAttachment wby-api-lambda-role-policy
 ~  aws:s3:BucketObject ./pbInstallation.zip updated (0.27s) [diff: ~source]
    aws:iam:Role wby-background-task-sfn-role
    aws:apigatewayv2:Api wby-api-gateway
    aws:iam:Role wby-migration-lambda-role
    aws:iam:Role wby-fm-lambda-role
    aws:iam:Policy wby-FileManagerLambdaPolicy
    aws:iam:Role wby-background-task-event-role
    aws:apigatewayv2:Stage wby-default
    aws:iam:RolePolicyAttachment wby-migration-lambda-role-policy
    aws:iam:RolePolicyAttachment wby-migration-lambda-role-default-execution-role
    aws:lambda:Function wby-apw-scheduler-execute-action-lambda
    aws:lambda:Function wby-pb-import-queue-process
    aws:iam:RolePolicyAttachment wby-fm-lambda-role-policy
    aws:cloudwatch:EventRule wby-background-task-event-rule
    aws:iam:RolePolicyAttachment wby-fm-lambda-role-default-execution-role
    aws:lambda:Function wby-pb-export-combine
    aws:cloudfront:Distribution wby-api-cloudfront
    aws:lambda:Function wby-data-migration
    aws:lambda:Function wby-fm-manage
    aws:lambda:Function wby-apw-scheduler-schedule-action-lambda
    aws:lambda:Function wby-pb-import-queue-create
    aws:lambda:Function wby-pb-export-process
    aws:dynamodb:TableItem api
    aws:lambda:Permission wby-fm-manage-s3-lambda-permission
    aws:lambda:Permission wby-eventTargetPermission
    aws:cloudwatch:EventTarget wby-apw-scheduler-event-rule-target
    aws:s3:BucketNotification wby-bucketNotification
    pulumi:pulumi:Stack api-dev running warning: Undefined value (dynamoDbElasticsearchTable) will not show as a stack output.
    aws:lambda:Function wby-graphql
    aws:apigatewayv2:Integration wby-cms-post
    aws:apigatewayv2:Integration wby-graphql-options
    aws:apigatewayv2:Integration wby-cms-options
    aws:lambda:Permission wby-allow-cms-options
    aws:lambda:Permission wby-allow-graphql-options
    aws:dynamodb:TableItem wby-apwSettings
    aws:apigatewayv2:Integration wby-graphql-post
    aws:lambda:Permission wby-allow-cms-post
    aws:lambda:Permission wby-allow-graphql-post
    aws:apigatewayv2:Route wby-cms-post
    aws:apigatewayv2:Route wby-graphql-options
    aws:apigatewayv2:Route wby-cms-options
    aws:apigatewayv2:Route wby-graphql-post
    aws:lambda:Function wby-fm-download
    aws:lambda:Function wby-background-task
    aws:lambda:Permission wby-allow-files-catch-all
    aws:lambda:Permission wby-allow-private-any
    aws:lambda:Permission wby-allow-files-any
    aws:apigatewayv2:Integration wby-files-catch-all
    aws:apigatewayv2:Integration wby-files-any
    aws:apigatewayv2:Integration wby-private-any
    aws:sfn:StateMachine wby-background-task-sfn
    aws:iam:Policy wby-background-task-sfn-policy
    aws:apigatewayv2:Route wby-files-catch-all
    aws:apigatewayv2:Route wby-files-any
    aws:apigatewayv2:Route wby-private-any
    aws:iam:Policy wby-background-task-event-policy
    aws:cloudwatch:EventTarget wby-background-task-event-target
    aws:iam:RolePolicyAttachment wby-background-task-sfn-rolePolicy
    aws:iam:RolePolicyAttachment wby-background-task-event-role-policy-attachment
    pulumi:pulumi:Stack api-dev  1 warning
Diagnostics:
  pulumi:pulumi:Stack (api-dev):
    warning: Undefined value (dynamoDbElasticsearchTable) will not show as a stack output.

Outputs:
    apiDomain                    : "d2asax2u8h51f6.cloudfront.net"
    apiUrl                       : "https://d2asax2u8h51f6.cloudfront.net"
    apwSchedulerEventRule        : "wby-apw-scheduler-event-rule-47718cb"
    apwSchedulerEventTargetId    : "wby-apw-scheduler-event-rule-target-64dc1fe"
    apwSchedulerExecuteAction    : "arn:aws:lambda:ap-northeast-2:058264267608:function:wby-apw-scheduler-execute-action-lambda-d78cedf"
    apwSchedulerScheduleAction   : "arn:aws:lambda:ap-northeast-2:058264267608:function:wby-apw-scheduler-schedule-action-lambda-5dbed79"
    backgroundTaskLambdaArn      : "arn:aws:lambda:ap-northeast-2:058264267608:function:wby-background-task-69aa8d8"
    backgroundTaskStepFunctionArn: "arn:aws:states:ap-northeast-2:058264267608:stateMachine:wby-background-task-sfn-bce096e"
    cloudfrontApiDomain          : "d2asax2u8h51f6.cloudfront.net"
    cloudfrontApiUrl             : "https://d2asax2u8h51f6.cloudfront.net"
    cognitoAppClientId           : "2oe7p328do5879j4tm132fdn0u"
    cognitoUserPoolId            : "ap-northeast-2_U5b4CGU4X"
    cognitoUserPoolPasswordPolicy: {
        minimumLength                : 8
        requireLowercase             : false
        requireNumbers               : false
        requireSymbols               : false
        requireUppercase             : false
        temporaryPasswordValidityDays: 7
    }
    dynamoDbTable                : "wby-webiny-73f9e3f"
    graphqlLambdaName            : "wby-graphql-f2fc222"
    migrationLambdaArn           : "arn:aws:lambda:ap-northeast-2:058264267608:function:wby-data-migration-d4fd30a"
    region                       : "ap-northeast-2"

Resources:
    ~ 1 updated
    79 unchanged

Duration: 7s

webiny success: Done! Deploy finished in 43.657s.

webiny info: Running "hook-after-deploy" hook...
webiny info: Executing data migrations Lambda function...
Using "InteractiveCliStatusReporter".

To view detailed logs, visit the following AWS CloudWatch log stream:
https://ap-northeast-2.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-2#logsV2:log-groups/log-group/$252Faws$252Flambda$252Fwby-data-migration-d4fd30a/log-events/2024$252F05$252F31$252F$255B$2524LATEST$255D7a487bb7722f45159d9d49c8ae181279

---------- MIGRATION LOGS START ----------

INIT_START Runtime Version: nodejs:18.v29   Runtime Version ARN: arn:aws:lambda:ap-northeast-2::runtime:5c2d7f0b914a9dbb8b6a6e3117c7950fa2b7434331c349799226fadd052f19a9
START RequestId: ace6e652-8834-4606-92be-1267f067f763 Version: $LATEST
[16:49:18.062] INFO: Project version is 5.39.6.
[16:49:18.067] INFO: Latest migration ID is 5.39.6-000.
[16:49:18.067] INFO: Using migrations in the range of 5.39.6-000 to 5.39.6-999.
[16:49:18.067] INFO: No migrations are enforced via WEBINY_MIGRATION_FORCE_EXECUTE environment variable.
[16:49:18.068] INFO: Found 0 applicable out of 17 available migration(s).
[16:49:18.078] INFO: Finished processing applicable migrations.
END RequestId: ace6e652-8834-4606-92be-1267f067f763
REPORT RequestId: ace6e652-8834-4606-92be-1267f067f763  Duration: 154.34 ms Billed Duration: 155 ms Memory Size: 3008 MB    Max Memory Used: 171 MB Init Duration: 879.85 ms
START RequestId: ecd28fc7-7963-467c-a325-562227ac6d45 Version: $LATEST
END RequestId: ecd28fc7-7963-467c-a325-562227ac6d45
REPORT RequestId: ecd28fc7-7963-467c-a325-562227ac6d45  Duration: 41.91 ms  Billed Duration: 42 ms  Memory Size: 3008 MB    Max Memory Used: 174 MB

---------- MIGRATION LOGS END ----------

webiny success: Data migration Lambda wby-data-migration-d4fd30a executed successfully!
webiny info: Migration run: 6659ff8ebf34910008a86eb0
webiny info: Status: done
webiny info: Started on: 2024-05-31T16:49:18.043Z
webiny info: Finished on: 2024-05-31T16:49:18.069Z
webiny info: [ not-applicable ] 5.35.0-001: Upgrade File Manager to use better PKs and `data` envelope.
webiny info: [ not-applicable ] 5.35.0-002: Move PB Settings attributes to a `data` envelope.
webiny info: [ not-applicable ] 5.35.0-003: Move admin users attributes to a `data` envelope.
webiny info: [ not-applicable ] 5.35.0-004: Move tenant attributes to a `data` envelope.
webiny info: [ not-applicable ] 5.35.0-005: Add singular and plural API names to the CMS Model entity
webiny info: [ not-applicable ] 5.35.0-006: ACO search record migration
webiny info: [ not-applicable ] 5.36.0-001: Migrate FmFile Data -> Create ACO Search Records
webiny info: [ not-applicable ] 5.37.0-001: Migrate Tenant Links Data
webiny info: [ not-applicable ] 5.37.0-002: Add default folderId to all CMS records.
webiny info: [ not-applicable ] 5.37.0-003: ACO Folder parentId migration
webiny info: [ not-applicable ] 5.37.0-004: Page Builder Pages search record migration
webiny info: [ not-applicable ] 5.37.0-005: Migrate File Manager data to Headless CMS records.
webiny info: [ not-applicable ] 5.38.0-001: Convert forms to multi-step forms.
webiny info: [ not-applicable ] 5.38.0-002: Convert forms to multi-step forms (form submissions).
webiny info: [ not-applicable ] 5.38.0-003: Compress block content, and add GSI1.
webiny info: [ not-applicable ] 5.39.0-001: Write new revision and entry-level on/by meta fields.
webiny info: [ not-applicable ] 5.39.0-002: Generate a metadata file for every File Manager file.

To view detailed logs, visit the following AWS CloudWatch log stream:
https://ap-northeast-2.console.aws.amazon.com/cloudwatch/home?region=ap-northeast-2#logsV2:log-groups/log-group/$252Faws$252Flambda$252Fwby-data-migration-d4fd30a/log-events/2024$252F05$252F31$252F$255B$2524LATEST$255D7a487bb7722f45159d9d49c8ae181279
webiny success: Hook "hook-after-deploy" completed.
webiny success: API project application was deployed successfully!

webiny info: Deploying Admin project application...
webiny info: Running "hook-before-build" hook...
webiny success: Hook "hook-before-build" completed.
webiny info: Building admin package...

ℹ Compiling Admin
✔ Admin: Compiled successfully in 46.75s
Compiled successfully.

File sizes after gzip:

  2.85 MB   build/static/js/747.05801185.js
  78.65 kB  build/static/js/816.83e3ed7d.chunk.js
  50.21 kB  build/static/js/686.7569b85d.chunk.js
  32.31 kB  build/static/js/750.43e7cbd5.chunk.js
  27.34 kB  build/static/css/main.4f7f30e4.css
  17.2 kB   build/static/js/main.44d7e1d6.js
  13.43 kB  build/static/css/747.660b93fb.css
  1.9 kB    build/static/js/runtime-main.d830ca98.js
  1.21 kB   build/static/js/appsAdminPluginsPageBuilderEditorPlugins.66db7a93.chunk.js
  521 B     build/static/js/appsAdminPluginsPageBuilderRenderPlugins.3a1bf6d3.chunk.js
The bundle size is significantly larger than recommended.
Consider reducing it with code splitting: https://goo.gl/9VhYWB
You can also analyze the project dependencies: https://goo.gl/LeUzfb

webiny success: Successfully built admin in 53.003s.
webiny info: Running "hook-after-build" hook...
webiny success: Hook "hook-after-build" completed.

webiny info: Running "hook-before-deploy" hook...
webiny info: Using profile default in ap-northeast-2 region.
webiny success: Hook "hook-before-deploy" completed.

webiny info: Deploying...

Updating (dev):

@ updating....
    pulumi:pulumi:Stack admin-dev running
@ updating........
    aws:cloudfront:OriginAccessIdentity wby-admin-app-origin-identity
    aws:s3:Bucket wby-admin-app
    aws:s3:BucketPublicAccessBlock wby-admin-app-bucket-block-access
    aws:cloudfront:Distribution wby-admin-app-cdn
    aws:s3:BucketPolicy wby-admin-app-bucket-policy
    aws:dynamodb:TableItem wby-adminSettings
    pulumi:pulumi:Stack admin-dev
Outputs:
    appDomain          : "d1kb3vldy596nf.cloudfront.net"
    appStorage         : "wby-admin-app-29f2d0c"
    appUrl             : "https://d1kb3vldy596nf.cloudfront.net"
    cloudfrontAppDomain: "d1kb3vldy596nf.cloudfront.net"
    cloudfrontAppUrl   : "https://d1kb3vldy596nf.cloudfront.net"

Resources:
    7 unchanged

Duration: 7s

webiny success: Done! Deploy finished in 61.937s.

webiny info: Running "hook-after-deploy" hook...
webiny info: Uploading React application...
webiny info: Skipping asset-manifest.json, already exists.
webiny info: Skipping favicons/favicon-16x16.png, already exists.
webiny info: Skipping index.html, already exists.
webiny info: Skipping favicons/android-chrome-192x192.png, already exists.
webiny info: Skipping favicons/apple-touch-icon.png, already exists.
webiny info: Skipping favicons/safari-pinned-tab.svg, already exists.
webiny info: Skipping manifest.json, already exists.
webiny info: Skipping favicons/favicon-32x32.png, already exists.
webiny info: Skipping static/js/750.43e7cbd5.chunk.js.LICENSE.txt, already exists.
webiny info: Skipping favicons/browserconfig.xml, already exists.
webiny info: Skipping static/css/main.4f7f30e4.css, already exists.
webiny info: Skipping static/css/747.660b93fb.css, already exists.
webiny info: Skipping static/js/686.7569b85d.chunk.js, already exists.
webiny info: Skipping favicons/favicon.ico, already exists.
webiny info: Skipping favicons/mstile-150x150.png, already exists.
webiny info: Skipping static/js/747.05801185.js.LICENSE.txt, already exists.
webiny info: Skipping static/js/appsAdminPluginsPageBuilderEditorPlugins.66db7a93.chunk.js, already exists.
webiny info: Skipping static/js/750.43e7cbd5.chunk.js, already exists.
webiny info: Skipping static/js/816.83e3ed7d.chunk.js, already exists.
webiny info: Skipping static/js/747.05801185.js, already exists.
webiny info: Skipping static/js/main.44d7e1d6.js, already exists.
webiny info: Skipping static/media/editor-mock.ca1d2ee0.png, already exists.
webiny info: Skipping static/js/appsAdminPluginsPageBuilderRenderPlugins.3a1bf6d3.chunk.js, already exists.
webiny info: Skipping static/media/chat-square-quote.4a9fd2d2.svg, already exists.
webiny info: Skipping static/media/font-color.3901a96e.svg, already exists.
webiny info: Skipping static/media/chevron-down.545359f3.svg, already exists.
webiny info: Skipping static/js/runtime-main.d830ca98.js, already exists.
webiny info: Skipping static/media/indent.781d093c.svg, already exists.
webiny info: Skipping static/js/main.44d7e1d6.js.LICENSE.txt, already exists.
webiny info: Skipping static/media/insert-image.2d583a6e.svg, already exists.
webiny info: Skipping static/media/code.4986f368.svg, already exists.
webiny info: Skipping static/media/list-ol.868adeca.svg, already exists.
webiny info: Skipping static/media/justify.f81eafb1.svg, already exists.
webiny info: Skipping static/media/preview.af4931cc.png, already exists.
webiny info: Skipping static/media/pencil-fill.bac5081f.svg, already exists.
webiny info: Skipping static/media/list-ul.f300c42c.svg, already exists.
webiny info: Skipping static/media/link.26e24b3c.svg, already exists.
webiny info: Skipping static/media/text-center.2ac250c6.svg, already exists.
webiny info: Skipping static/media/outdent.46885096.svg, already exists.
webiny info: Skipping static/media/text-left.ceba973e.svg, already exists.
webiny info: Skipping static/media/type-strikethrough.efdbbf77.svg, already exists.
webiny info: Skipping static/media/type-bold.d35d70c1.svg, already exists.
webiny info: Skipping static/media/undraw-uploading.0f72cc3b.svg, already exists.
webiny info: Skipping static/media/type-italic.6d77581f.svg, already exists.
webiny info: Skipping static/media/type-underline.cc385ad0.svg, already exists.
webiny info: Skipping static/media/text-right.c19b6fbc.svg, already exists.
webiny info: Skipping static/media/unlink_icon.d4c8ca44.svg, already exists.
webiny info: Skipping static/media/undraw_export_files.a0a4fdfb.svg, already exists.
webiny success: React application successfully uploaded in 3.438s.
webiny success: Hook "hook-after-deploy" completed.
webiny success: Admin project application was deployed successfully!

webiny info: Deploying Website project application...
webiny info: Running "hook-before-build" hook...
webiny success: Hook "hook-before-build" completed.
webiny info: Building website package...

ℹ Compiling Website
✔ Website: Compiled successfully in 23.38s
Compiled successfully.

File sizes after gzip:

  1.42 MB   build/static/js/144.3fc28edd.js
  17.07 kB  build/static/js/main.ad200d53.js
  10.87 kB  build/static/css/144.046bf088.css
  1.15 kB   build/static/js/runtime-main.24555177.js
  940 B     build/static/css/main.951d5680.css
The bundle size is significantly larger than recommended.
Consider reducing it with code splitting: https://goo.gl/9VhYWB
You can also analyze the project dependencies: https://goo.gl/LeUzfb

webiny success: Successfully built website in 29.337s.
webiny info: Running "hook-after-build" hook...
webiny success: Hook "hook-after-build" completed.

webiny info: Running "hook-before-deploy" hook...
webiny info: Using profile default in ap-northeast-2 region.
webiny success: Hook "hook-before-deploy" completed.

webiny info: Deploying...

Updating (dev):

    pulumi:pulumi:Stack website-dev running
@ updating.........
    aws:cloudfront:OriginAccessIdentity wby-app-origin-identity
    aws:cloudfront:OriginAccessIdentity wby-delivery-origin-identity
    aws:s3:Bucket wby-app
    aws:s3:Bucket wby-delivery
    aws:cloudfront:Function wby-cfViewerRequest
    aws:sqs:Queue wby-ps-render-queue
    aws:s3:BucketPublicAccessBlock wby-app-bucket-block-access
    aws:s3:BucketPolicy wby-app-bucket-policy
    aws:cloudfront:Distribution wby-app
    aws:s3:BucketPublicAccessBlock wby-delivery-bucket-block-access
    aws:s3:BucketPolicy wby-delivery-bucket-policy
    aws:cloudfront:Distribution wby-delivery
    aws:cloudwatch:EventRule wby-ps-render-subscriber-event-rule
 +  aws:dynamodb:TableItem wby-psSettings creating (0s)
 +  aws:iam:Policy wby-ps-lambda-policy creating (0s)
    aws:iam:Role wby-ps-flush-lambda-role
    aws:iam:Role wby-ps-render-subscriber-role
    aws:iam:Role wby-ps-render-lambda-role
    aws:cloudwatch:EventRule wby-ps-flush-event-rule
    aws:iam:RolePolicyAttachment wby-ps-render-lambda-role-default-execution-role
    aws:iam:RolePolicyAttachment wby-ps-flush-lambda-role-default-execution-role
    aws:iam:RolePolicyAttachment wby-ps-render-subscriber-role-default-execution-role
    aws:iam:RolePolicyAttachment wby-ps-render-lambda-role-execution-role
    aws:lambda:Function wby-ps-render-subscriber-lambda
    aws:lambda:Function wby-ps-flush-lambda
 +  aws:lambda:Function wby-ps-render-lambda creating (0s)
    aws:cloudwatch:EventTarget wby-ps-render-subscriber-event-target
    aws:lambda:Permission wby-ps-render-subscriber-event-permission
    aws:cloudwatch:EventTarget wby-ps-flush-event-target
    aws:lambda:Permission wby-ps-flush-event-permission
 +  aws:dynamodb:TableItem wby-psSettings created (0.12s)
 +  aws:lambda:Function wby-ps-render-lambda creating (0s) error: 1 error occurred:
 +  aws:lambda:Function wby-ps-render-lambda **creating failed** error: 1 error occurred:
@ updating....
 +  aws:iam:Policy wby-ps-lambda-policy created (1s)
@ updating....
    pulumi:pulumi:Stack website-dev running error: update failed
    pulumi:pulumi:Stack website-dev **failed** 1 error
Diagnostics:
  pulumi:pulumi:Stack (website-dev):
    error: update failed

  aws:lambda:Function (wby-ps-render-lambda):
    error: 1 error occurred:
        * creating Lambda Function (wby-ps-render-lambda-671d311): operation error Lambda: CreateFunction, https response error StatusCode: 403, RequestID: 843654d9-0542-4e87-a27b-9f26496ffefa, api error AccessDeniedException: User: arn:aws:iam::058264267608:user/webiny-cli is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:ap-northeast-2:764866452798:layer:chrome-aws-lambda:45 because no resource-based policy allows the lambda:GetLayerVersion action

Outputs:
  + appDomain               : "dli77z1a246ih.cloudfront.net"
  + appId                   : "E39AZTOSBNYSL1"
  + appStorage              : "wby-app-745e541"
  + appUrl                  : "https://dli77z1a246ih.cloudfront.net"
  + cloudfrontAppDomain     : "dli77z1a246ih.cloudfront.net"
  + cloudfrontAppUrl        : "https://dli77z1a246ih.cloudfront.net"
  + cloudfrontDeliveryDomain: "dtp16fk59k51c.cloudfront.net"
  + cloudfrontDeliveryUrl   : "https://dtp16fk59k51c.cloudfront.net"
  + deliveryDomain          : "dtp16fk59k51c.cloudfront.net"
  + deliveryId              : "E1P16VII3N53Y3"
  + deliveryStorage         : "wby-delivery-eb74fbb"
  + deliveryUrl             : "https://dtp16fk59k51c.cloudfront.net"

Resources:
    + 2 created
    28 unchanged

Duration: 8s

webiny error: Command failed with exit code 255: /Users/hajeonghun/Projects/webiny-app/.webiny/pulumi-cli/darwin/pulumi/pulumi up --yes --skip-preview --secrets-provider passphrase --non-interactive
webiny debug:  Error: Command failed with exit code 255: /Users/hajeonghun/Projects/webiny-app/.webiny/pulumi-cli/darwin/pulumi/pulumi up --yes --skip-preview --secrets-provider passphrase --non-interactive
    at makeError (/Users/hajeonghun/Projects/webiny-app/node_modules/execa/lib/error.js:60:11)
    at handlePromise (/Users/hajeonghun/Projects/webiny-app/node_modules/execa/index.js:118:26)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at command (/Users/hajeonghun/Projects/webiny-app/node_modules/@webiny/cli-plugin-deploy-pulumi/commands/deploy.js:86:17)
    at Object.handler (/Users/hajeonghun/Projects/webiny-app/node_modules/@webiny/cli-plugin-deploy-pulumi/commands/index.js:64:21) {
  shortMessage: 'Command failed with exit code 255: /Users/hajeonghun/Projects/webiny-app/.webiny/pulumi-cli/darwin/pulumi/pulumi up --yes --skip-preview --secrets-provider passphrase --non-interactive',
  command: '/Users/hajeonghun/Projects/webiny-app/.webiny/pulumi-cli/darwin/pulumi/pulumi up --yes --skip-preview --secrets-provider passphrase --non-interactive',
  escapedCommand: '"/Users/hajeonghun/Projects/webiny-app/.webiny/pulumi-cli/darwin/pulumi/pulumi" up --yes --skip-preview --secrets-provider passphrase --non-interactive',
  exitCode: 255,
  signal: undefined,
  signalDescription: undefined,
  stdout: undefined,
  stderr: '',
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false
}

webiny error: Command failed with exit code 1: yarn webiny deploy apps/website --env dev --debug false --build true --preview false

Additional information

• The deployment logs indicate that the webiny-cli user does not have the necessary permissions to perform lambda:GetLayerVersion on the specified resource.
• The error occurs specifically during the creation of the wby-ps-render-lambda function.

Possible solution

I plan to upload the chrome-aws-lambda layer to Lambda directly. How can I set the arn:aws:lambda:ap-northeast-2:764866452798:layer:chrome-aws-lambda:45 ? Where in the code should I make this change? Can I edit the code to achieve this?

[Pavel910]

Hey @omizha, as ap-east-1 is an opt-in region, it was not enabled in our account, and neither was the Chromium layer (which is hosted by the maintainer of the library).

So, we just published these layers all in the Webiny account, and these will be shipped in 5.39.7, and 5.40.0 releases. Layer ARNs are as follows:

• Sharp layer ARN: arn:aws:lambda:ap-east-1:632417926021:layer:sharp:1
• Chromium layer ARN: arn:aws:lambda:ap-east-1:632417926021:layer:chromium:1

Now, to inject these into your current project, the easiest way would be to create a yarn patch, add add these arns for ap-east-1 region to our package. It's easier than doing it via Pulumi.

Instructions:

• In your project, run yarn patch @webiny/aws-layers
• open the temporary directory shown to you by yarn, and edit the layers.json file
• add the ARNs I provided above, like this:
• commit the patch using the command printed by yarn

Once done, you will have a git patch looking like this applied to our package every time you install the deps:

diff --git a/layers.json b/layers.json
index d3d18b84c0e225c0ced70bc222d3dec43dbec012..393e9986562300fd84547123f23af75b3d8c1094 100644
--- a/layers.json
+++ b/layers.json
@@ -33,7 +33,8 @@
     "us-east-1": "arn:aws:lambda:us-east-1:764866452798:layer:chrome-aws-lambda:45",
     "us-east-2": "arn:aws:lambda:us-east-2:764866452798:layer:chrome-aws-lambda:45",
     "us-west-1": "arn:aws:lambda:us-west-1:764866452798:layer:chrome-aws-lambda:45",
-    "us-west-2": "arn:aws:lambda:us-west-2:764866452798:layer:chrome-aws-lambda:45"
+    "us-west-2": "arn:aws:lambda:us-west-2:764866452798:layer:chrome-aws-lambda:45",
+    "ap-east-1": "arn:aws:lambda:ap-east-1:632417926021:layer:chromium:1"
   },
   "sharp": {
     "us-east-1": "arn:aws:lambda:us-east-1:632417926021:layer:sharp:11",
@@ -51,6 +52,7 @@
     "eu-west-2": "arn:aws:lambda:eu-west-2:632417926021:layer:sharp:3",
     "eu-west-3": "arn:aws:lambda:eu-west-3:632417926021:layer:sharp:2",
     "eu-north-1": "arn:aws:lambda:eu-north-1:632417926021:layer:sharp:2",
-    "sa-east-1": "arn:aws:lambda:sa-east-1:632417926021:layer:sharp:2"
+    "sa-east-1": "arn:aws:lambda:sa-east-1:632417926021:layer:sharp:2",
+    "ap-east-1": "arn:aws:lambda:ap-east-1:632417926021:layer:sharp:1"
   }
 }

Don't forget to add !.yarn/patches to your .gitignore file, and commit this yarn patch to your repo.