1 Answer
- Newest
- Most votes
- Most comments
1
Hi,
The permissions that you are creating with the role are for the execution of the Lambda.
It seems that your problem is different: the Lambda runtime is not authorized to access and deploy the Lambda custom image that you created before executing it.
To allow the Lambda runtime, you must create an IAM resource-based policy on the ECR repo: see section named Amazon ECR repository policies on page https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#gettingstarted-images-permissions
Best,
Didier
Relevant content
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, Thank you for your response. I reviewed the provided documentation. According to AWS documentation for Lambda functions, if Account B is pulling an ECR image from a marketplace account (Account A), a cross-account policy is necessary. Since our ECR repository is in Account A and we are creating a Lambda function in Account B, we need to ensure that the appropriate permissions are in place. However, we face a few challenges: Cross-Account Policy Requirement: A policy must be in place to allow Account B to pull images from the ECR repository in Account A. No Manual Intervention: We cannot request buyers (Account B) to provide their Account IDs each time they make a purchase to add the IDs to the ECR policy.
Given these constraints, can you suggest a solution that automates the cross-account access setup without requiring manual intervention for each purchase?