The aws:lambda/layerVersionPermission:LayerVersionPermission resource, part of the Pulumi AWS provider, controls who can access a specific Lambda Layer version through resource-based permissions. This guide focuses on three capabilities: account-specific access grants, organization-wide sharing, and public Layer distribution.
Layer permissions reference existing Lambda Layer versions and require target AWS account IDs or Organization IDs. The examples are intentionally small. Combine them with your own Layer publishing workflow and access control requirements.
Grant access to a specific AWS account
Teams often share Lambda Layers across AWS accounts for development, testing, or partner integrations, allowing one account to publish shared code while others consume it.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Lambda layer to share
const example = new aws.lambda.LayerVersion("example", {
code: new pulumi.asset.FileArchive("layer.zip"),
layerName: "shared_utilities",
description: "Common utilities for Lambda functions",
compatibleRuntimes: [
"nodejs20.x",
"python3.12",
],
});
// Grant permission to specific AWS account
const exampleLayerVersionPermission = new aws.lambda.LayerVersionPermission("example", {
layerName: example.layerName,
versionNumber: example.version,
principal: "123456789012",
action: "lambda:GetLayerVersion",
statementId: "dev-account-access",
});
import pulumi
import pulumi_aws as aws
# Lambda layer to share
example = aws.lambda_.LayerVersion("example",
code=pulumi.FileArchive("layer.zip"),
layer_name="shared_utilities",
description="Common utilities for Lambda functions",
compatible_runtimes=[
"nodejs20.x",
"python3.12",
])
# Grant permission to specific AWS account
example_layer_version_permission = aws.lambda_.LayerVersionPermission("example",
layer_name=example.layer_name,
version_number=example.version,
principal="123456789012",
action="lambda:GetLayerVersion",
statement_id="dev-account-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Lambda layer to share
example, err := lambda.NewLayerVersion(ctx, "example", &lambda.LayerVersionArgs{
Code: pulumi.NewFileArchive("layer.zip"),
LayerName: pulumi.String("shared_utilities"),
Description: pulumi.String("Common utilities for Lambda functions"),
CompatibleRuntimes: pulumi.StringArray{
pulumi.String("nodejs20.x"),
pulumi.String("python3.12"),
},
})
if err != nil {
return err
}
// Grant permission to specific AWS account
_, err = lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: example.LayerName,
VersionNumber: example.Version,
Principal: pulumi.String("123456789012"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("dev-account-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Lambda layer to share
var example = new Aws.Lambda.LayerVersion("example", new()
{
Code = new FileArchive("layer.zip"),
LayerName = "shared_utilities",
Description = "Common utilities for Lambda functions",
CompatibleRuntimes = new[]
{
"nodejs20.x",
"python3.12",
},
});
// Grant permission to specific AWS account
var exampleLayerVersionPermission = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = example.LayerName,
VersionNumber = example.Version,
Principal = "123456789012",
Action = "lambda:GetLayerVersion",
StatementId = "dev-account-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersion;
import com.pulumi.aws.lambda.LayerVersionArgs;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Lambda layer to share
var example = new LayerVersion("example", LayerVersionArgs.builder()
.code(new FileArchive("layer.zip"))
.layerName("shared_utilities")
.description("Common utilities for Lambda functions")
.compatibleRuntimes(
"nodejs20.x",
"python3.12")
.build());
// Grant permission to specific AWS account
var exampleLayerVersionPermission = new LayerVersionPermission("exampleLayerVersionPermission", LayerVersionPermissionArgs.builder()
.layerName(example.layerName())
.versionNumber(example.version())
.principal("123456789012")
.action("lambda:GetLayerVersion")
.statementId("dev-account-access")
.build());
}
}
resources:
# Lambda layer to share
example:
type: aws:lambda:LayerVersion
properties:
code:
fn::FileArchive: layer.zip
layerName: shared_utilities
description: Common utilities for Lambda functions
compatibleRuntimes:
- nodejs20.x
- python3.12
# Grant permission to specific AWS account
exampleLayerVersionPermission:
type: aws:lambda:LayerVersionPermission
name: example
properties:
layerName: ${example.layerName}
versionNumber: ${example.version}
principal: '123456789012'
action: lambda:GetLayerVersion
statementId: dev-account-access
The principal property specifies the AWS account ID that can access the Layer. The action property is always lambda:GetLayerVersion for Layer access. The statementId provides a unique identifier for this permission in the Layer’s resource policy. Permissions apply only to the specific versionNumber; new Layer versions require new permissions.
Share across an entire AWS Organization
Organizations with many AWS accounts can grant Layer access to all accounts under a single Organization ID.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.LayerVersionPermission("example", {
layerName: exampleAwsLambdaLayerVersion.layerName,
versionNumber: exampleAwsLambdaLayerVersion.version,
principal: "*",
organizationId: "o-1234567890",
action: "lambda:GetLayerVersion",
statementId: "org-wide-access",
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.LayerVersionPermission("example",
layer_name=example_aws_lambda_layer_version["layerName"],
version_number=example_aws_lambda_layer_version["version"],
principal="*",
organization_id="o-1234567890",
action="lambda:GetLayerVersion",
statement_id="org-wide-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: pulumi.Any(exampleAwsLambdaLayerVersion.LayerName),
VersionNumber: pulumi.Any(exampleAwsLambdaLayerVersion.Version),
Principal: pulumi.String("*"),
OrganizationId: pulumi.String("o-1234567890"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("org-wide-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = exampleAwsLambdaLayerVersion.LayerName,
VersionNumber = exampleAwsLambdaLayerVersion.Version,
Principal = "*",
OrganizationId = "o-1234567890",
Action = "lambda:GetLayerVersion",
StatementId = "org-wide-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LayerVersionPermission("example", LayerVersionPermissionArgs.builder()
.layerName(exampleAwsLambdaLayerVersion.layerName())
.versionNumber(exampleAwsLambdaLayerVersion.version())
.principal("*")
.organizationId("o-1234567890")
.action("lambda:GetLayerVersion")
.statementId("org-wide-access")
.build());
}
}
resources:
example:
type: aws:lambda:LayerVersionPermission
properties:
layerName: ${exampleAwsLambdaLayerVersion.layerName}
versionNumber: ${exampleAwsLambdaLayerVersion.version}
principal: '*'
organizationId: o-1234567890
action: lambda:GetLayerVersion
statementId: org-wide-access
When using organizationId, set principal to * to allow all accounts within the Organization. This avoids managing individual account permissions as your Organization grows. The permission still applies to a single Layer version.
Make a Layer publicly accessible
Open-source projects or public utilities can make Layers available to any AWS account by setting the principal to wildcard.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.LayerVersionPermission("example", {
layerName: exampleAwsLambdaLayerVersion.layerName,
versionNumber: exampleAwsLambdaLayerVersion.version,
principal: "*",
action: "lambda:GetLayerVersion",
statementId: "public-access",
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.LayerVersionPermission("example",
layer_name=example_aws_lambda_layer_version["layerName"],
version_number=example_aws_lambda_layer_version["version"],
principal="*",
action="lambda:GetLayerVersion",
statement_id="public-access")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewLayerVersionPermission(ctx, "example", &lambda.LayerVersionPermissionArgs{
LayerName: pulumi.Any(exampleAwsLambdaLayerVersion.LayerName),
VersionNumber: pulumi.Any(exampleAwsLambdaLayerVersion.Version),
Principal: pulumi.String("*"),
Action: pulumi.String("lambda:GetLayerVersion"),
StatementId: pulumi.String("public-access"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.LayerVersionPermission("example", new()
{
LayerName = exampleAwsLambdaLayerVersion.LayerName,
VersionNumber = exampleAwsLambdaLayerVersion.Version,
Principal = "*",
Action = "lambda:GetLayerVersion",
StatementId = "public-access",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersionPermission;
import com.pulumi.aws.lambda.LayerVersionPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LayerVersionPermission("example", LayerVersionPermissionArgs.builder()
.layerName(exampleAwsLambdaLayerVersion.layerName())
.versionNumber(exampleAwsLambdaLayerVersion.version())
.principal("*")
.action("lambda:GetLayerVersion")
.statementId("public-access")
.build());
}
}
resources:
example:
type: aws:lambda:LayerVersionPermission
properties:
layerName: ${exampleAwsLambdaLayerVersion.layerName}
versionNumber: ${exampleAwsLambdaLayerVersion.version}
principal: '*'
action: lambda:GetLayerVersion
statementId: public-access
Setting principal to * without an organizationId makes the Layer publicly accessible. Any AWS account can reference and use this Layer version in their Lambda functions. This is useful for distributing open-source utilities or shared libraries.
Beyond these examples
These snippets focus on specific Layer permission features: account-specific and organization-wide sharing, and public Layer distribution. They’re intentionally minimal rather than full Layer publishing workflows.
The examples reference pre-existing infrastructure such as Lambda Layer versions (aws.lambda.LayerVersion). They focus on configuring access permissions rather than creating the Layers themselves.
To keep things focused, common permission patterns are omitted, including:
- Permission retention on destroy (skipDestroy)
- Multiple permissions per Layer (shown in EX4 but not detailed)
- Cross-region Layer sharing (region property)
These omissions are intentional: the goal is to illustrate how Layer permissions are wired, not provide drop-in Layer distribution modules. See the Lambda LayerVersionPermission resource reference for all available configuration options.
Let's manage AWS Lambda Layer Version Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Sharing & Access Control
How do I share a Lambda layer with a specific AWS account?
Set
principal to the target account ID (e.g., 123456789012) and specify the layer version with versionNumber.How do I share a layer with my entire AWS organization?
Set
principal to * and provide your organizationId (e.g., o-1234567890). The wildcard principal is required when using organization-based sharing.How do I make a Lambda layer publicly accessible to all AWS accounts?
Set
principal to * without specifying an organizationId. This grants access to any AWS account.How do I share a layer with multiple specific accounts?
Create separate
LayerVersionPermission resources for each account, using unique statementId values for each permission.Permissions & Versioning
Do permissions apply to all versions of a layer?
No, permissions only apply to a single version. You must create separate permissions for each layer version you want to share.
What properties can't be changed after creating a permission?
Most properties are immutable:
action, layerName, principal, statementId, versionNumber, organizationId, and skipDestroy. You must recreate the resource to change these.What action should I use for layer permissions?
Use
lambda:GetLayerVersion, which is the standard action for granting layer access.Lifecycle Management
What happens if I set skipDestroy to true?
The permission will persist even after running
pulumi destroy, becoming an unmanaged resource that may incur extra AWS charges. Only use this when you intentionally want to retain permissions.Will layer permissions be deleted when I destroy the resource?
Yes, by default (
skipDestroy is false). Set skipDestroy to true only if you want permissions to persist after resource deletion.