By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda does not have permission to access the ECR image

0

We are publishing our application on AWS Marketplace and testing our CloudFormation template. However, we are getting an error: "Lambda does not have permission to access the ECR image. Check the ECR permissions." We created the ECR repository in the AWS Marketplace account and pushed the Docker image there. We are testing the template in our personal root user account. We can't edit or create any policy in the AWS Marketplace repository directly; everything must be handled through the template. Can you suggest a solution? will attach the cloudformation template for your reference.

LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: LambdaRoleNLQ
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: LambdaExecutionPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: "*"
              - Effect: Allow
                Action:
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                  - ecr:GetAuthorizationToken
                  - ecr:BatchCheckLayerAvailability
                Resource: "*"

  lambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ImageUri: xxxx
      Description: Example Lambda function using Docker image
      FunctionName: !Ref lambdaFunctionName
      PackageType: Image
      Timeout: 300
      MemorySize: 1024
      Role: !GetAtt LambdaExecutionRole.Arn

  FunctionURL:
    Type: AWS::Lambda::Url
    Properties:
      TargetFunctionArn: !GetAtt lambdaFunction.Arn
      AuthType: AWS_IAM
Topics
ServerlessComputeContainersAWS Marketplace
Tags
AWS LambdaAmazon Elastic Container Registry (ECR)AWS Marketplace
Language
English
Pratyusha
asked 2 months ago1075 views
1 Answer
1

Hi,

The permissions that you are creating with the role are for the execution of the Lambda.

It seems that your problem is different: the Lambda runtime is not authorized to access and deploy the Lambda custom image that you created before executing it.

To allow the Lambda runtime, you must create an IAM resource-based policy on the ECR repo: see section named Amazon ECR repository policies on page https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#gettingstarted-images-permissions

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 2 months ago
profile picture
EXPERT
Gary Mclean
reviewed 2 months ago
  • Pratyusha
    2 months ago

    Hi, Thank you for your response. I reviewed the provided documentation. According to AWS documentation for Lambda functions, if Account B is pulling an ECR image from a marketplace account (Account A), a cross-account policy is necessary. Since our ECR repository is in Account A and we are creating a Lambda function in Account B, we need to ensure that the appropriate permissions are in place. However, we face a few challenges: Cross-Account Policy Requirement: A policy must be in place to allow Account B to pull images from the ECR repository in Account A. No Manual Intervention: We cannot request buyers (Account B) to provide their Account IDs each time they make a purchase to add the IDs to the ECR policy.

    Given these constraints, can you suggest a solution that automates the cross-account access setup without requiring manual intervention for each purchase?

Relevant content