Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Lambda does not have permission to access the ECR image

With the recent release of Docker Images for Lambda functions, I've decided to try out this functionality using CloudFormation.

So, the lambda below considers a docker image stored in Elastic Container Registry, with permissions to access the image following the examples in the documentation.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image

Globals:
  Function:
    Timeout: 180

Resources:
  DockerAsImage:
    Type: AWS::Serverless::Function 
    Properties:
      FunctionName: DockerAsImage
      ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
      PackageType: Image
      Policies: 
        - Version: '2012-10-17' 
          Statement:
            - Effect: Allow
              Action: 
                - ecr:*
                - ecr-public:*
                - sts:GetServiceBearerToken
              Resource: "*"
      Events:
        HelloWorld:
          Type: Api
          Properties:
            Path: /hello
            Method: post

I'm using sam to deploy the template in us-west-2 with

sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload  --no-confirm-changeset

However, just after the IAM Role is succesfuly created, the Lambda function fails to create with the following error

Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;

even though the role has access to any ecs resource. Another way I've tried is to create a separate role and assigned it to lambda through Role: !GetAtt Role.Arn, this approach doesn't work too.

like image 974
Miguel Trejo Avatar asked Dec 04 '20 03:12

Miguel Trejo


People also ask

How do I change permissions in Lambda?

Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions.

Can AWS Lambda run Docker images?

Lambda supports only Linux-based container images. Lambda provides multi-architecture base images. However, the image you build for your function must target only one of the architectures. Lambda does not support functions that use multi-architecture container images.


3 Answers

Based on the comments.

To use image-based lambdas, it is the IAM user/role that requires ECR permissions, not the function itself. From docs:

Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.

In addition to the two permissions listed above, the ecr: InitiateLayerUpload is also needed.

like image 53
Marcin Avatar answered Oct 20 '22 21:10

Marcin


You must to add the following policy to your User and the Role that will be asociated to the AWS Lambda. This policy enables ECR actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:SetRepositoryPolicy",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:UploadLayerPart",
                "ecr:ListImages",
                "ecr:InitiateLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetRepositoryPolicy",
                "ecr:PutImage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}
like image 36
ambigus9 Avatar answered Oct 20 '22 21:10

ambigus9


For a lambda in account 222222222222 to use an ECR image in 11111111111 then you need to follow https://aws.amazon.com/blogs/compute/introducing-cross-account-amazon-ecr-access-for-aws-lambda/

The most important IAM part is to set the following Repository policy on the 11111111111 repo:

      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: CrossAccountPermission
            Effect: Allow
            Action:
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
            Principal:
              AWS:
                - arn:aws:iam::222222222222:root
          - Sid: LambdaECRImageCrossAccountRetrievalPolicy
            Effect: Allow
            Action:
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
            Principal:
              Service: lambda.amazonaws.com
            Condition:
              StringLike:
                aws:sourceArn:
                  - arn:aws:lambda:us-east-1:222222222222:function:*
like image 3
Regnoult Avatar answered Oct 20 '22 22:10

Regnoult