The AddLayerVersionPermission operation is used to control resource-based access for Lambda Layers. Currently only one action is allowed which is lambda:GetLayerVersion. This is restricted by a regex pattern and character length in the Botocore definitions and appears to have been the case since atleast 2021-06:
https://github.com/boto/botocore/blob/cf7b8449643187670620ab699596ca785e3ec889/botocore/data/lambda/2015-03-31/service-2.json#L3906-L3909
However, this contradicts with AWS documentation which lists various other Layer-related policy actions which should be valid:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html#permissions-resources-layers
Furthermore, error messages from cross-account setups suggest that other actions should be allowed as a valid inputs for AddLayerVersionPermission.
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: User: arn:aws:iam::XXXXXXXXXX:user/XXXX is not authorized to perform: lambda:ListLayerVersions on resource: arn:aws:lambda:eu-central-1:XXXXXXXXXXXX:layer:layer-XXXXXXXX because no resource-based policy allows the lambda:ListLayerVersions action
Is this a bug? Did it go unnoticed for three years?
AWS OFFICIALUpdated 2 years ago
