VOOZH about

URL: https://repost.aws/questions/QUTqHCUjGyTFG4Vm5kKDiM5w/lambda-does-not-have-permission-to-access-the-ecr-image

⇱ Lambda does not have permission to access the ECR image | AWS re:Post


Skip to content

Lambda does not have permission to access the ECR image

0

We are publishing our application on AWS Marketplace and testing our CloudFormation template. However, we are getting an error: "Lambda does not have permission to access the ECR image. Check the ECR permissions." We created the ECR repository in the AWS Marketplace account and pushed the Docker image there. We are testing the template in our personal root user account. We can't edit or create any policy in the AWS Marketplace repository directly; everything must be handled through the template. Can you suggest a solution? will attach the cloudformation template for your reference.

LambdaExecutionRole:
 Type: AWS::IAM::Role
 Properties:
 RoleName: LambdaRoleNLQ
 AssumeRolePolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: Allow
 Principal:
 Service: lambda.amazonaws.com
 Action: sts:AssumeRole
 Policies:
 - PolicyName: LambdaExecutionPolicy
 PolicyDocument:
 Version: "2012-10-17"
 Statement:
 - Effect: Allow
 Action:
 - logs:CreateLogGroup
 - logs:CreateLogStream
 - logs:PutLogEvents
 Resource: "*"
 - Effect: Allow
 Action:
 - ecr:GetDownloadUrlForLayer
 - ecr:BatchGetImage
 - ecr:GetAuthorizationToken
 - ecr:BatchCheckLayerAvailability
 Resource: "*"

 lambdaFunction:
 Type: AWS::Lambda::Function
 Properties:
 Code:
 ImageUri: xxxx
 Description: Example Lambda function using Docker image
 FunctionName: !Ref lambdaFunctionName
 PackageType: Image
 Timeout: 300
 MemorySize: 1024
 Role: !GetAtt LambdaExecutionRole.Arn

 FunctionURL:
 Type: AWS::Lambda::Url
 Properties:
 TargetFunctionArn: !GetAtt lambdaFunction.Arn
 AuthType: AWS_IAM 
1 Answer
  • Newest
  • Most votes
  • Most comments
1

Hi,

The permissions that you are creating with the role are for the execution of the Lambda.

It seems that your problem is different: the Lambda runtime is not authorized to access and deploy the Lambda custom image that you created before executing it.

To allow the Lambda runtime, you must create an IAM resource-based policy on the ECR repo: see section named Amazon ECR repository policies on page https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#gettingstarted-images-permissions

Best,

Didier

EXPERT

answered 2 years ago

EXPERT

reviewed 2 years ago

EXPERT

reviewed 2 years ago

  • Pratyusha
    2 years ago

    Hi, Thank you for your response. I reviewed the provided documentation. According to AWS documentation for Lambda functions, if Account B is pulling an ECR image from a marketplace account (Account A), a cross-account policy is necessary. Since our ECR repository is in Account A and we are creating a Lambda function in Account B, we need to ensure that the appropriate permissions are in place. However, we face a few challenges: Cross-Account Policy Requirement: A policy must be in place to allow Account B to pull images from the ECR repository in Account A. No Manual Intervention: We cannot request buyers (Account B) to provide their Account IDs each time they make a purchase to add the IDs to the ECR policy.

    Given these constraints, can you suggest a solution that automates the cross-account access setup without requiring manual intervention for each purchase?

Relevant content