Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Permissions for LayerVersions #698

Closed
keetonian opened this issue Dec 3, 2018 · 1 comment
Closed

RFC: Permissions for LayerVersions #698

keetonian opened this issue Dec 3, 2018 · 1 comment
Labels
area/resource/layer-version maintainer/need-response stage/needs-feedback Needs feedback from the community (are you also interested in/experiencing this?) type/rfc

Comments

@keetonian
Copy link
Contributor

Background

The ability to share Layers will be integral to their use for any organization or group of teams, or even between individuals. Adding permissions to layer versions is a process that SAM could make easier than it would be in native CloudFormation. This design proposes a new Permissions field in the AWS::Serverless::LayerVersion resource that helps create AWS::Lambda::LayerVersionPermission objects for LayerVersions.

Syntax Proposal

Pros:

  • Reduce developer workload
  • provide a convenient way to grant access permissions to layers upon layer creation

Cons:

  • Could quickly contribute to filling the 200 resource limit in CFN stacks.
    • These permissions will be expanded to one resource per permission and, if included in the globals section, be multiplied by the number of layers in a single SAM template.
    • This could easily balloon, but nested transforms will make this easy to manage. Just stick your layers in another template and use the LayerArns as the outputs.
  • Does not provide an easier way to add or remove permissions from existing layer versions

Example Template

Input yaml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer.zip
      Permissions: # list of permissions objects
        -
          Principal: # string or list
            - arn:aws:iam::123123123123:user/James
            - arn:aws:iam::123456789012:user/Brett
          OrganizationId: o-eqqyngyzfx # string or list
          Action: lambda:GetLayerVersion # string or list
        -
          Principal: # string or list
            - arn:aws:iam::123456789012:user/Brett
          Action: lambda:ListLayerVersions # string or list

Output JSON:

{
  "Resources": {
    "MyLayerHash123": {
      "Type": "AWS::Lambda::LayerVersion",
      "DeletionPolicy": "Retain",
      "Properties": {
        "LayerName": "MyLayer",
        "Content": {
          "S3Bucket": "my-bucket",
          "S3Key": "my-layer.zip"
        },
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    },
    "MyLayerHash123Permission2": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123123123123:user/James"
      }
    },
    "MyLayerHash123Permission3": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:GetLayerVersion",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "*",
        "OrganizationId": "o-eqqyngyzfx"
      }
    },
    "MyLayerHash123Permission1": {
      "Type": "AWS::Lambda::LayerVersionPermission",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Action": "lambda:ListLayerVersions",
        "LayerVersionArn": {
          "Ref": "MyLayerHash123"
        },
        "Principal": "arn:aws:iam::123456789012:user/Brett"
      }
    }
  }
}

Permissions are also a field that can be used in the AWS::Serverless::LayerVersion Globals section, setting permissions for all of the layers in a SAM template. In this example, the users specified in the globals section would be granted permissions to all the layers in the template, resulting in 4 AWS::Lambda::LayerPermission resources (2 for each layer):

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Globals:
  LayerVersion:
    Permissions:
      -
        Principal:
          - arn:aws:iam::123456789012:user/Brett
          - arn:aws:iam::123123123123:user/James
        Action: lambda:GetLayerVersion
        # OrganizationId: 
Resources:
  MyLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-layer
  MyOtherLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: ./my-other-layer

FAQ

  1. Should updating the Permissions property trigger an update to the LayerVersion (even if nothing else was updated), or just update permissions?
    • It will always trigger a new version: doing so will avoid deleting old LayerVersionPermission objects assigned to the current version of a layer and reduce complexity and developer confusion (any update == new version).
  2. Will SAM support managing permissions on older versions of a layer?
    • No. SAM will not explicitly support updating permissions on older versions of a layer. This would be best managed via the Lambda API or AWS CLI.
  3. Will SAM support managing permissions for a range of layer versions?
    • No. SAM will only manage permissions on the latest version of a layer

Links
@chizou
Copy link

chizou commented Jul 24, 2019

This looks good to me. When is this feature expected to be released?

@mgrandis mgrandis added stage/needs-feedback Needs feedback from the community (are you also interested in/experiencing this?) and removed stage/request-for-comments labels Feb 11, 2021
@aws aws locked and limited conversation to collaborators Feb 7, 2024
@jfuss jfuss converted this issue into discussion #3534 Feb 7, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
area/resource/layer-version maintainer/need-response stage/needs-feedback Needs feedback from the community (are you also interested in/experiencing this?) type/rfc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hoffa @chizou @keetonian @aws-sam-cli-bot @mgrandis