Skip to content

Commit 2ee4912

Browse files
duncanistaduncanista
authored
fix: grant testing account access to sandbox layers (#1141)
## Summary - Sandbox layers were published without any resource-based permissions, blocking the self-monitoring account (`093468662994`) from accessing dev layer versions during CDK deployments. - When `ADD_LAYER_VERSION_PERMISSIONS=0` (sandbox), the publish script now grants `lambda:GetLayerVersion` to the testing account instead of leaving the layer inaccessible. ## Test plan - [ ] Trigger a sandbox layer publish and verify the layer version has a resource-based policy for `093468662994` - [ ] Deploy `lmi-dev-agent` stack in self-monitoring repo using `ENVIRONMENT=dev` (pulls from `layers-dev.json` / sandbox account `425362996713`)
1 parent ecec868 commit 2ee4912

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

.gitlab/scripts/publish_layers.sh

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ publish_layer() {
5050
| jq -r '.Version'
5151
)
5252

53-
# Add permissions only for prod
53+
# Add permissions: public for prod, grant testing account access to sandbox layers
5454
if [ "$ADD_LAYER_VERSION_PERMISSIONS" = "1" ]; then
5555
permission=$(aws lambda add-layer-version-permission --layer-name $layer \
5656
--version-number $version_nbr \
@@ -59,6 +59,14 @@ publish_layer() {
5959
--principal "*" \
6060
--region $region
6161
)
62+
else
63+
permission=$(aws lambda add-layer-version-permission --layer-name $layer \
64+
--version-number $version_nbr \
65+
--statement-id "release-$version_nbr" \
66+
--action lambda:GetLayerVersion \
67+
--principal "093468662994" \
68+
--region $region
69+
)
6270
fi
6371

6472
echo $version_nbr

0 commit comments

Comments
 (0)