With the recent release of Docker Images for Lambda
functions, I've decided to try out this functionality using CloudFormation
.
So, the lambda below considers a docker image stored in Elastic Container Registry
, with permissions to access the image following the examples in the documentation.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image
Globals:
Function:
Timeout: 180
Resources:
DockerAsImage:
Type: AWS::Serverless::Function
Properties:
FunctionName: DockerAsImage
ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
PackageType: Image
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:*
- ecr-public:*
- sts:GetServiceBearerToken
Resource: "*"
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: post
I'm using sam
to deploy the template in us-west-2
with
sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload --no-confirm-changeset
However, just after the IAM
Role is succesfuly created, the Lambda
function fails to create with the following error
Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
even though the role has access to any ecs
resource. Another way I've tried is to create a separate role and assigned it to lambda through Role: !GetAtt Role.Arn
, this approach doesn't work too.
Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions.
Lambda supports only Linux-based container images. Lambda provides multi-architecture base images. However, the image you build for your function must target only one of the architectures. Lambda does not support functions that use multi-architecture container images.
Based on the comments.
To use image-based lambdas, it is the IAM user/role that requires ECR permissions, not the function itself. From docs:
Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.
In addition to the two permissions listed above, the ecr: InitiateLayerUpload
is also needed.
You must to add the following policy to your User and the Role that will be asociated to the AWS Lambda. This policy enables ECR actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:UploadLayerPart",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:PutImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
For a lambda in account 222222222222 to use an ECR image in 11111111111 then you need to follow https://aws.amazon.com/blogs/compute/introducing-cross-account-amazon-ecr-access-for-aws-lambda/
The most important IAM part is to set the following Repository policy on the 11111111111 repo:
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: CrossAccountPermission
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
AWS:
- arn:aws:iam::222222222222:root
- Sid: LambdaECRImageCrossAccountRetrievalPolicy
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
Service: lambda.amazonaws.com
Condition:
StringLike:
aws:sourceArn:
- arn:aws:lambda:us-east-1:222222222222:function:*
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With