Lambda does not have permission to access the ECR image
We are publishing our application on AWS Marketplace and testing our CloudFormation template. However, we are getting an error: "Lambda does not have permission to access the ECR image. Check the ECR permissions." We created the ECR repository in the AWS Marketplace account and pushed the Docker image there. We are testing the template in our personal root user account. We can't edit or create any policy in the AWS Marketplace repository directly; everything must be handled through the template. Can you suggest a solution? will attach the cloudformation template for your reference.
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: LambdaRoleNLQ
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: LambdaExecutionPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
- Effect: Allow
Action:
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
Resource: "*"
lambdaFunction:
Type: AWS::Lambda::Function
Properties:
Code:
ImageUri: xxxx
Description: Example Lambda function using Docker image
FunctionName: !Ref lambdaFunctionName
PackageType: Image
Timeout: 300
MemorySize: 1024
Role: !GetAtt LambdaExecutionRole.Arn
FunctionURL:
Type: AWS::Lambda::Url
Properties:
TargetFunctionArn: !GetAtt lambdaFunction.Arn
AuthType: AWS_IAM
- Language
- English
asked 2 years ago4.6K views
- Newest
- Most votes
- Most comments
Hi,
The permissions that you are creating with the role are for the execution of the Lambda.
It seems that your problem is different: the Lambda runtime is not authorized to access and deploy the Lambda custom image that you created before executing it.
To allow the Lambda runtime, you must create an IAM resource-based policy on the ECR repo: see section named Amazon ECR repository policies on page https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#gettingstarted-images-permissions
Best,
Didier
- Pratyusha2 years ago
Hi, Thank you for your response. I reviewed the provided documentation. According to AWS documentation for Lambda functions, if Account B is pulling an ECR image from a marketplace account (Account A), a cross-account policy is necessary. Since our ECR repository is in Account A and we are creating a Lambda function in Account B, we need to ensure that the appropriate permissions are in place. However, we face a few challenges: Cross-Account Policy Requirement: A policy must be in place to allow Account B to pull images from the ECR repository in Account A. No Manual Intervention: We cannot request buyers (Account B) to provide their Account IDs each time they make a purchase to add the IDs to the ECR policy.
Given these constraints, can you suggest a solution that automates the cross-account access setup without requiring manual intervention for each purchase?
