I tried to create an AWS Lambda function with a container image, but I received an Amazon Elastic Container Registry (Amazon ECR) permission error.
Short description
To create a Lambda function from a container image, the user or role creating the function and Amazon ECR repository must have policies that allow access.
Note: Before you create the Lambda function, first create a Lambda container image. Then, upload the image to an Amazon ECR repository.
For more information, see Deploying Lambda functions as container images.
Resolution
Follow these steps for setting a private repository policy statement.
Note: It's a best practice to grant least privilege for only the permissions required to perform a task. For more information, see Apply least-privilege permissions.
1. Create a Lambda function from the Amazon ECR image URI in the same AWS account
In the following example, Amazon ECR repository permissions must allow the ecr:BatchGetImage and ecr:GetDownloadUrlForLayer API actions to the Lambda service.
Example Amazon ECR repository policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaECRImageRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
2. Create a Lambda function from the Amazon ECR image URI in a cross account
In the following example, the Lambda functions created in the AWS account 111111111111 and the Amazon ECR repository is in the AWS account 222222222222.
The user or role that created or updated the Lambda function must have ecr:BatchGetImage and ecr:GetDownloadUrlForLayer permissions on the ECR repository.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECR Repository Access Permissions",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "arn:aws:ecr:us-east-1:222222222222:repository/hello-repository"
}
]
}
In the following example, the CrossAccountPermission statement allows AWS account 111111111111 to create and update Lambda functions that use images from the Amazon ECR repository.
Example Amazon ECR repository cross-account policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountPermission",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
},
{
"Sid": "LambdaECRImageCrossAccountRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:sourceARN": "arn:aws:lambda:us-east-1:111111111111:function:*"
}
}
}
]
}
Lambda eventually sets a function's state to inactive if it's not invoked for an extended period of time.
Note: The LambdaECRImageCrossAccountRetrievalPolicy statement is required so that Lambda can retrieve the container image for AWS account 111111111111.
For more information, see Amazon ECR cross-account permissions.
Related information
Introducing cross-account Amazon ECR access for AWS Lambda
How do I troubleshoot permissions issues with Lambda?