The aws:lambda/layerVersionPermission:LayerVersionPermission resource, part of the Pulumi AWS provider, controls who can access a specific Lambda Layer version through resource-based permissions. This guide focuses on three capabilities: sharing layers with specific AWS accounts, organization-wide access, and public distribution.
Layer permissions reference existing Lambda Layer versions and apply to a single version at a time. The examples are intentionally small. Combine them with your own layer publishing workflow and access control requirements.
Grant access to a specific AWS account
Teams often share Lambda Layers across AWS accounts for development, testing, or partner integrations, allowing one account to publish shared code while others consume it.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Lambda layer to share
const example = new aws.lambda.LayerVersion("example", {
code: new pulumi.asset.FileArchive("layer.zip"),
layerName: "shared_utilities",
description: "Common utilities for Lambda functions",
compatibleRuntimes: [
"nodejs20.x",
"python3.12",
],
});
// Grant permission to specific AWS account
const exampleLayerVersionPermission = new aws.lambda.LayerVersionPermission("example", {
layerName: example.layerName,
versionNumber: example.version,
principal: "123456789012",
action: "lambda:GetLayerVersion",
statementId: "dev-account-access",
});
import pulumi
import pulumi_aws as aws
# Lambda layer to share
example = aws.lambda_.LayerVersion("example",
code=pulumi.FileArchive("layer.zip"),
layer_name="shared_utilities",
description="Common utilities for Lambda functions",
compatible_runtimes=[
"nodejs20.x",
"python3.12",
])
# Grant permission to specific AWS account
example_layer_version_permission = aws.lambda_.LayerVersionPermission("example",
layer_name=example.layer_name,
version_number=example.version,
principal="123456789012",
action="lambda:GetLayerVersion",
statement_id="dev-account-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Lambda layer to share
example, err := lambda.NewLayerVersion(ctx, "example", &lambda.LayerVersionArgs{
Code: pulumi.NewFileArchive("layer.zip"),
LayerName: pulumi.String("shared_utilities"),
Description: pulumi.String("Common utilities for Lambda functions"),
CompatibleRuntimes: pulumi.StringArray{
pulumi.String("nodejs20.x"),
pulumi.String("python3.12"),
},
})
if err != nil {
return err
}
// Grant permission to specific AWS account
_, err = lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: example.LayerName,
VersionNumber: example.Version,
Principal: pulumi.String("123456789012"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("dev-account-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Lambda layer to share
var example = new Aws.Lambda.LayerVersion("example", new()
{
Code = new FileArchive("layer.zip"),
LayerName = "shared_utilities",
Description = "Common utilities for Lambda functions",
CompatibleRuntimes = new[]
{
"nodejs20.x",
"python3.12",
},
});
// Grant permission to specific AWS account
var exampleLayerVersionPermission = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = example.LayerName,
VersionNumber = example.Version,
Principal = "123456789012",
Action = "lambda:GetLayerVersion",
StatementId = "dev-account-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersion;
import com.pulumi.aws.lambda.LayerVersionArgs;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Lambda layer to share
var example = new LayerVersion("example", LayerVersionArgs.builder()
.code(new FileArchive("layer.zip"))
.layerName("shared_utilities")
.description("Common utilities for Lambda functions")
.compatibleRuntimes(
"nodejs20.x",
"python3.12")
.build());
// Grant permission to specific AWS account
var exampleLayerVersionPermission = new LayerVersionPermission("exampleLayerVersionPermission", LayerVersionPermissionArgs.builder()
.layerName(example.layerName())
.versionNumber(example.version())
.principal("123456789012")
.action("lambda:GetLayerVersion")
.statementId("dev-account-access")
.build());
}
}
resources:
# Lambda layer to share
example:
type: aws:lambda:LayerVersion
properties:
code:
fn::FileArchive: layer.zip
layerName: shared_utilities
description: Common utilities for Lambda functions
compatibleRuntimes:
- nodejs20.x
- python3.12
# Grant permission to specific AWS account
exampleLayerVersionPermission:
type: aws:lambda:LayerVersionPermission
name: example
properties:
layerName: ${example.layerName}
versionNumber: ${example.version}
principal: '123456789012'
action: lambda:GetLayerVersion
statementId: dev-account-access
When you grant permission, the target account can reference your layer by ARN in their Lambda functions. The principal property specifies the AWS account ID, and statementId provides a unique identifier for the permission statement. The action property is always lambda:GetLayerVersion for layer access. Permissions apply only to the specific versionNumber you specify; new layer versions require new permissions.
Share with all accounts in an AWS Organization
Organizations with multiple AWS accounts can grant layer access to all member accounts at once, simplifying permission management across environments.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.LayerVersionPermission("example", {
layerName: exampleAwsLambdaLayerVersion.layerName,
versionNumber: exampleAwsLambdaLayerVersion.version,
principal: "*",
organizationId: "o-1234567890",
action: "lambda:GetLayerVersion",
statementId: "org-wide-access",
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.LayerVersionPermission("example",
layer_name=example_aws_lambda_layer_version["layerName"],
version_number=example_aws_lambda_layer_version["version"],
principal="*",
organization_id="o-1234567890",
action="lambda:GetLayerVersion",
statement_id="org-wide-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: pulumi.Any(exampleAwsLambdaLayerVersion.LayerName),
VersionNumber: pulumi.Any(exampleAwsLambdaLayerVersion.Version),
Principal: pulumi.String("*"),
OrganizationId: pulumi.String("o-1234567890"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("org-wide-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = exampleAwsLambdaLayerVersion.LayerName,
VersionNumber = exampleAwsLambdaLayerVersion.Version,
Principal = "*",
OrganizationId = "o-1234567890",
Action = "lambda:GetLayerVersion",
StatementId = "org-wide-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LayerVersionPermission("example", LayerVersionPermissionArgs.builder()
.layerName(exampleAwsLambdaLayerVersion.layerName())
.versionNumber(exampleAwsLambdaLayerVersion.version())
.principal("*")
.organizationId("o-1234567890")
.action("lambda:GetLayerVersion")
.statementId("org-wide-access")
.build());
}
}
resources:
example:
type: aws:lambda:LayerVersionPermission
properties:
layerName: ${exampleAwsLambdaLayerVersion.layerName}
versionNumber: ${exampleAwsLambdaLayerVersion.version}
principal: '*'
organizationId: o-1234567890
action: lambda:GetLayerVersion
statementId: org-wide-access
The organizationId property grants access to all accounts within your AWS Organization. When using organizationId, you must set principal to *. This approach eliminates the need to create individual permissions for each account as your organization grows.
Make a layer publicly accessible
Open source projects or public utilities can make layers available to any AWS account, allowing the broader community to use shared code.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.LayerVersionPermission("example", {
layerName: exampleAwsLambdaLayerVersion.layerName,
versionNumber: exampleAwsLambdaLayerVersion.version,
principal: "*",
action: "lambda:GetLayerVersion",
statementId: "public-access",
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.LayerVersionPermission("example",
layer_name=example_aws_lambda_layer_version["layerName"],
version_number=example_aws_lambda_layer_version["version"],
principal="*",
action="lambda:GetLayerVersion",
statement_id="public-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: pulumi.Any(exampleAwsLambdaLayerVersion.LayerName),
VersionNumber: pulumi.Any(exampleAwsLambdaLayerVersion.Version),
Principal: pulumi.String("*"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("public-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = exampleAwsLambdaLayerVersion.LayerName,
VersionNumber = exampleAwsLambdaLayerVersion.Version,
Principal = "*",
Action = "lambda:GetLayerVersion",
StatementId = "public-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LayerVersionPermission("example", LayerVersionPermissionArgs.builder()
.layerName(exampleAwsLambdaLayerVersion.layerName())
.versionNumber(exampleAwsLambdaLayerVersion.version())
.principal("*")
.action("lambda:GetLayerVersion")
.statementId("public-access")
.build());
}
}
resources:
example:
type: aws:lambda:LayerVersionPermission
properties:
layerName: ${exampleAwsLambdaLayerVersion.layerName}
versionNumber: ${exampleAwsLambdaLayerVersion.version}
principal: '*'
action: lambda:GetLayerVersion
statementId: public-access
Setting principal to * without an organizationId makes the layer publicly accessible. Any AWS account can reference your layer ARN in their Lambda functions. This is useful for distributing open source utilities or common dependencies.
Beyond these examples
These snippets focus on specific layer permission features: account-specific and organization-wide sharing, and public layer distribution. They’re intentionally minimal rather than complete layer management solutions.
The examples reference pre-existing infrastructure such as Lambda Layer versions (aws.lambda.LayerVersion). They focus on permission configuration rather than layer creation or versioning.
To keep things focused, common permission patterns are omitted, including:
- Permission retention on destroy (skipDestroy)
- Multiple permissions per layer (shown but not explained in detail)
- Cross-region layer sharing considerations
- IAM policy integration and permission boundaries
These omissions are intentional: the goal is to illustrate how layer permissions are wired, not provide drop-in layer distribution modules. See the Lambda Layer Version Permission resource reference for all available configuration options.
Let's manage AWS Lambda Layer Version Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Sharing Patterns
How do I share a Lambda layer with a specific AWS account?
Set
principal to the target account ID (e.g., 123456789012) and action to lambda:GetLayerVersion.How do I share a Lambda layer publicly?
Set
principal to * without specifying organizationId. This allows any AWS account to access the layer version.How do I share a Lambda layer with my entire AWS organization?
Set
principal to * and provide your organizationId (e.g., o-1234567890). The principal must be * when using organization-based sharing.Can I grant multiple AWS accounts access to the same layer version?
Yes, create a separate
LayerVersionPermission resource for each account with a unique statementId.Permissions & Versioning
What action should I use for layer permissions?
Use
lambda:GetLayerVersion, which is the standard action for granting layer access.Do layer permissions apply to all versions of my layer?
No, permissions only apply to a single version of a layer. You must create new permission resources for each layer version you want to share.
What should principal be when sharing with an organization?
Set
principal to * when using organizationId. You cannot specify a specific account ID for organization-wide sharing.Resource Management
What happens if I set skipDestroy to true?
The AWS Provider won’t destroy layer permissions even when running
pulumi destroy, leaving intentional dangling resources that may incur extra expense in your AWS account.What properties can I change after creating a layer permission?
Only
region can be changed. All other properties (action, layerName, principal, statementId, versionNumber, organizationId, skipDestroy) are immutable and require resource replacement.