Granting Lambda layer access to other accounts - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting Lambda layer access to other accounts

To share a layer with another Amazon Web Services account, add a cross-account permissions statement to the layer's resource-based policy. Run the add-layer-version-permission command and specify the account ID as the principal. In each statement, you can grant permission to a single account, all accounts, or an organization in Amazon Organizations.

The following example grants account 111122223333 access to version 2 of the bash-runtime layer.

aws lambda add-layer-version-permission \ --layer-name bash-runtime \ --version-number 2 \ --statement-id xaccount \ --action lambda:GetLayerVersion \ --principal 111122223333 \ --output text

You should see output similar to the following:

{"Sid":"xaccount","Effect":"Allow","Principal":{"AWS":"arn:aws-cn:iam::111122223333:root"},"Action":"lambda:GetLayerVersion","Resource":"arn:aws-cn:lambda:us-east-1:123456789012:layer:bash-runtime:2"}

Permissions apply only to a single layer version. Repeat the process each time that you create a new layer version.

To grant permission to all accounts in an Amazon Organizations organization, use the organization-id option. The following example grants all accounts in organization o-t194hfs8cz permission to use version 3 of my-layer.

aws lambda add-layer-version-permission \ --layer-name my-layer \ --version-number 3 \ --statement-id engineering-org \ --principal '*' \ --action lambda:GetLayerVersion \ --organization-id o-t194hfs8cz \ --output text

You should see the following output:

{"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws-cn:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"

To grant permission to multiple accounts or organizations, you must add multiple statements.