AWS Lambda usage of ECR: Invalid source image

Question

Issue

I try to use an ECR image via AWS lambda. AWS keeps saying that my image is invalid, without any further information.

Steps taken

I created a docker image based on the default AWS python image:

FROM public.ecr.aws/lambda/python:3.10

COPY catalog_sidecar.py ${LAMBDA_TASK_ROOT}

CMD [ "catalog_sidecar.lambda_handler" ]

The python file is in the image and the callback handler is correct. I checked that.

I ensured the image is pushed to ECR.

I ensured the correct cross account access policy on the central ECR we use. Regions are correct. account IDs - replaced with **** in code snipped - are correct.

{
  "Sid": "permit-test",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::*****:root"
  },
  "Action": "ecr:*"
},
{
  "Sid": "permit-test-lambdas",
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": "ecr:*",
  "Condition": {
    "StringLike": {
      "aws:sourceArn": "arn:aws:lambda:eu-west-1:*****:function:*"
    }
  }
}

I moved even to full ECR access to rule issues out with the policy granularity.

Result

When I try to use the image out of the UI our out of terraform, the result is always the same

Source image ***.dkr.ecr.eu-central-1.amazonaws.com/service-catalog-sidecar@sha256:*** is not valid. Provide a valid source image.

I tried both with sha256 hash as well as with tag name version of the URI.

Question

I checked multiple instructions and tutorials and they all seem to be aligned with what I did. I am looking for advice how to proceed with that issue.

Answer 1

I believe your issue with with regions. Your lambda is in eu-west-1 but your image is in eu-central-1 - I have not tested with cross account but within the same account your image must be in same region.