Comments (14)
bongbang
commented on July 21, 2024
I see now. I'm supposed to build and upload the layer myself.
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
Well no, it should be available to all... not sure what's wrong :/
from psycopg2-lambda-layer.
bongbang
commented on July 21, 2024
Did you grant permission to all accounts for v. 2? From the linked documentation: "To grant layer-usage permission to another account, add a statement to the layer version's permissions policy with the add-layer-version-permission command. In each statement, you can grant permission to a single account, all accounts, or an organization."
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
supposedly that is what this line is supposed to do https://github.com/jetbridge/psycopg2-lambda-layer/blob/master/3.7/serverless.yml#L18
from psycopg2-lambda-layer.
pinn3
commented on July 21, 2024
Getting a similar error when using it in a raw CloudFormation template. Pretty sure that it's caused by regional restrictions, as my stack is deployed to eu-west-1, while the layer is located in us-east-1.
Where is you Serverless stack deployed to @bongbang?
Edit: I've seen other layer providers that deploy theirs to pretty much all regions, would it be possible for you to do the same @revmischa?
from psycopg2-lambda-layer.
bongbang
commented on July 21, 2024
Mine is actually on `us-east-1`.
…On Wed, Mar 13, 2019 at 3:35 AM pinn3 ***@***.***> wrote:
Getting a similar error when using it in a raw CloudFormation template.
Pretty sure that it's caused by regional restrictions, as my stack is
deployed to eu-west-1, and the layer is located in us-east-1.
Where is you Serverless stack deployed to @bongbang
<https://github.com/bongbang>?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIH9EdKJneG9WFek5gjSzxUHuLBFD9sNks5vWNRhgaJpZM4a-Vcd>
.
--
Best,
Tom Vamvanij
from psycopg2-lambda-layer.
pinn3
commented on July 21, 2024
Deployed this layer to my own account to confirm the permissions part. This way I could inspect the raw CloudFormation template that's generated by Serverless:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "The AWS CloudFormation template for this Serverless application",
"Resources": {
"ServerlessDeploymentBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}
}
},
"Psycopg2LambdaLayer": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"Content": {
"S3Bucket": { "Ref": "ServerlessDeploymentBucket" },
"S3Key": "serverless/psycopg2-lambda-layer/dev/XXXXXXXXXXXXX-2019-03-14T00:45:20.968Z/psycopg2.zip"
},
"LayerName": "psycopg2",
"CompatibleRuntimes": ["python3.7"]
}
},
"Psycopg2WildLambdaLayerPermission": {
"Type": "AWS::Lambda::LayerVersionPermission",
"Properties": {
"Action": "lambda:GetLayerVersion",
"LayerVersionArn": { "Ref": "Psycopg2LambdaLayer" },
"Principal": "*"
}
}
},
"Outputs": {
"ServerlessDeploymentBucketName": {
"Value": { "Ref": "ServerlessDeploymentBucket" }
},
"Psycopg2LambdaLayerQualifiedArn": {
"Description": "Current Lambda layer version",
"Value": { "Ref": "Psycopg2LambdaLayer" }
}
}
}What I was looking for was this part:
"Psycopg2WildLambdaLayerPermission": {
"Type": "AWS::Lambda::LayerVersionPermission",
"Properties": {
"Action": "lambda:GetLayerVersion",
"LayerVersionArn": { "Ref": "Psycopg2LambdaLayer" },
"Principal": "*"
}
}Which confirms that, yes, allowedAccounts in the serverless.yml translates to the correct resource, which was briefly mentioned here, meaning that the layer should be accessible by any AWS account
This is all, of course, assuming that the deployed layer stack is up to date with this repository
To further confirm that the permissions are correct, the owner of the layer could run the following command to view the current policy for it:
aws lambda get-layer-version-policy --layer-name psycopg2 --version-number 2(see https://docs.aws.amazon.com/cli/latest/reference/lambda/get-layer-version-policy.html)
from psycopg2-lambda-layer.
gregglowrimore
commented on July 21, 2024
Any updates on this permissions issue? I am trying to use this as a layer in my SAM template's definition and getting an AccessDenied exception as well.
I am trying to include this layer in my SAM template (specifying the Arn) and I am always getting Access Denied - even as an Admin in my AWS account trying to add this Arn manually as a layer to an existing lambda.
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
I am using arn:aws:lambda:eu-central-1:898466741470:layer:psycopg2-py37:2 and it works for me
from psycopg2-lambda-layer.
gregglowrimore
commented on July 21, 2024
Nope, still no workie for me. Like I said above, I went to an existing Lambda and attempted to add a new remote layer, specifying the above ARN, and got the access denied failure there too. Does it matter that the ARN above is specifying eu-central-1 and (I assume) jetbridges's AWS account? Are the proper cross-account access policies in place? Or has jetbridge basically made the Lambda Layer publicly readable?
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
It should be publicly readable:
aws> lambda get-layer-version-policy --layer-name psycopg2-py37 --version-number 2
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"Psycopg2Dashpy37WildLambdaL-6kCQPmvXWUf9\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:eu-central-1:898466741470:layer:psycopg2-py37:2\"}]}",
"RevisionId": "3061bc5c-7c94-4c90-84c3-cd3a33fb703e"
}
Which I think means it is public?
It was created with the serverless config in this repo
Suggestions welcome!
from psycopg2-lambda-layer.
gregglowrimore
commented on July 21, 2024
Well, I spent 4 hours on an AWS support chat yesterday where the first hour was going over this layer permissions issue and trying to figure out why my Lambda always got AccessDenied. Even the support tech was getting AccessDenied when he tried it on his end.
We ended up just building our own layer using a combination of your repo here and jkehler's repo for psycopg2. Once we got our own layer created and deployed into our account, our Lambda was obviously able to pull it down and use it.
I agree, all evidence above shows your layer should be public, but something's not letting the public access it from my world.
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
Getting a similar error when using it in a raw CloudFormation template. Pretty sure that it's caused by regional restrictions, as my stack is deployed to
eu-west-1, while the layer is located inus-east-1.Where is you Serverless stack deployed to @bongbang?
Edit: I've seen other layer providers that deploy theirs to pretty much all regions, would it be possible for you to do the same @revmischa?
This is the answer - it must be in the same region. I have deployed in us-east-1, ap-southeast-1, eu-central-1. Unfortunately the version numbers don't line up :(
A script to deploy everywhere with the same version numbers would be nice
from psycopg2-lambda-layer.
revmischa
commented on July 21, 2024
I updated the README. Please open an issue if you need another region. Make sure to use the layer from your region or you will get that permission error.
from psycopg2-lambda-layer.
Related Issues (20)
- Create a new layer for southeast-1 on Python 3.8 HOT 1
- permissions on version 1 for python 3.8 us-east-1 are wrong HOT 1
- Support for 3.8 in us-east-2 HOT 1
- [FEATURE] Support for 3.6 in us-west-2 HOT 1
- I am getting a permissions erros on arn:aws:lambda:us-west-2:898466741470:layer:psycopg2-py37:6 HOT 5
- support sa-east 3.8 HOT 1
- No layer for py-3.8 in eu-west-2 HOT 2
- Support for ca-central-1 HOT 3
- Region eu-west-3 for Python 3.8 HOT 1
- Support Python 3.9 HOT 14
- Support for 3.8 in ap-northeast-2 HOT 1
- Importing to function fails HOT 1
- Why doesn't supporting regions for GOV cloud (us-gov-east-1 and us-gov-west-1), Can u add supporting for these regions HOT 4
- Layer for python 3.9 for us-east-1 HOT 6
- Layer for python 3.7 for ap-northeast-1
- No usage instructions
- layer for ap-northeast-2 : Python3.7
- layer for ap-northeast-2 : Python3.7
- layer for sa-east-1 : Python3.7
- plz add layers for cn-northwest-1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from psycopg2-lambda-layer.