Troubleshooting Serverless Layer not Authorized Errors
This guide helps you troubleshoot the deployment error not authorized to perform: lambda:GetLayerVersion on resource
. This error is commonly seen with Datadog Lambda Library layers or the Datadog Extension layer.
Regionality
Lambda functions can only include Lambda layers that are located in the same region as the function. Typically, this error occurs when users copy instrumentation settings from other applications deployed in different regions.
Verify that the Lambda layer region and Lambda function version match. Then verify that the version number is correct.
You can verify that a Lambda layer version exists by running aws lambda get-layer-version
with valid AWS credentials.
For example, to verify the Datadog Extension layer and the Datadog Node.js library layer, run:
aws lambda get-layer-version \
--layer-name arn:aws:lambda:us-east-1:464622532012:layer:Datadog-Node22-x \
--version-number 117
aws lambda get-layer-version \
--layer-name arn:aws:lambda:us-east-1:464622532012:layer:Datadog-Extension \
--version-number 66
Permissions
Occasionally, users accidentally explicitly DENY
permission for their functions to perform lambda:GetLayerVersion
. Some resource-based policy configurations can cause an explicit DENY
. Additionally, IAM permissions boundaries may also cause an explicit DENY
for lambda:GetLayerVersion
.
To test this, use an IAM user attached to the same IAM policy your Lambda function uses, and test the get-layer-version
command as listed above. The command should succeed with no errors.
If you need the Datadog support team to help investigate, include the following information in your ticket:
- The function’s configured Lambda layers (name and version, or ARNs).
- The project configuration files, with redacted hardcoded secrets:
serverless.yaml
, package.json
, package-lock.json
, yarn.lock
, tsconfig.json
, and webpack.config.json
. - The project IAM policies and role information.