AWS::Lambda::LayerVersionPermission - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The AWS::Lambda::LayerVersionPermission resource adds permissions to the resource-based policy of a version of an Lambda layer. Use this action to grant layer usage permission to other accounts. You can grant permission to a single account, all Amazon accounts, or all accounts in an organization.


Since the release of the UpdateReplacePolicy both UpdateReplacePolicy and DeletionPolicy are required to protect your Resources/LayerPermissions from deletion.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::Lambda::LayerVersionPermission", "Properties" : { "Action" : String, "LayerVersionArn" : String, "OrganizationId" : String, "Principal" : String } }


Type: AWS::Lambda::LayerVersionPermission Properties: Action: String LayerVersionArn: String OrganizationId: String Principal: String



The API action that grants access to the layer. For example, lambda:GetLayerVersion.

Required: Yes

Type: String

Pattern: lambda:GetLayerVersion

Maximum: 22

Update requires: Replacement


The name or Amazon Resource Name (ARN) of the layer.

Required: Yes

Type: String

Pattern: (arn:[a-zA-Z0-9-]+:lambda:[a-zA-Z0-9-]+:\d{12}:layer:[a-zA-Z0-9-_]+)|[a-zA-Z0-9-_]+

Minimum: 1

Maximum: 140

Update requires: Replacement


With the principal set to *, grant permission to all accounts in the specified organization.

Required: No

Type: String

Pattern: o-[a-z0-9]{10,32}

Maximum: 34

Update requires: Replacement


An account ID, or * to grant layer usage permission to all accounts in an organization, or all Amazon accounts (if organizationId is not specified). For the last case, make sure that you really do want all Amazon accounts to have usage permission to this layer.

Required: Yes

Type: String

Pattern: \d{12}|\*|arn:(aws[a-zA-Z-]*):iam::\d{12}:root

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the layer version ARN and statement ID, such as arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1#engineering-org.

For more information about using the Ref function, see Ref.



Layer Version Permission

Grant layer use permission to accounts in organization o-t194hfs8cz.


"MyLayerPermission": { "Type": "AWS::Lambda::LayerVersionPermission", "Properties": { "Action": "lambda:GetLayerVersion", "LayerVersionArn": "arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1", "OrganizationId": "o-t194hfs8cz", "Principal": "*" } }


MyLayerPermission: Type: AWS::Lambda::LayerVersionPermission Properties: Action: lambda:GetLayerVersion LayerVersionArn: arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1 OrganizationId: o-t194hfs8cz Principal: *