ECR Cross account access to all accounts in an organization to create lambda function using the images in this repository

0

Enter image description here I want to give permission to create lambda functions in all the accounts in an organization using the images in this repository. Currently, this is not working.

If I remove the service value, I am able to pull the image but unable to create the Lambda function.

1 Answer
2

The service principal lambda.amazonaws.com doesn't reside inside your AWS Organizations org, so the aws:Principal* condition keys won't work with it. You'll need to use aws:SourceOrgID instead. That key checks the org on whose behalf the service principal is acting.

You could try this condition restriction in the repository policy, combined with the service principal lambda.amazonaws.com, if that's the identity under which ECR is accessed:

"Condition": {
    "StringEquals": {
        "aws:SourceOrgID": "o-xxxxxxxxxxx"
    }
}

If ECR is accessed by an IAM role in each of your member accounts, then you'll need to set the Principal element (not the service principal) to a * wildcard and set the condition block to:

"Condition": {
    "StringEquals": {
        "aws:PrincipalOrgID": "o-xxxxxxxxxxx"
    }
}

If creating the Lambda function in the member account is returning an error, then I suggest you check which principal is trying to create the function. If you aren't sure, you should see it easily in CloudTrail events in the region where the function is attempted to be created. If the principal is an IAM role, the IAM policies attached to the role will also need to allow access to your ECR repository, because it resides in a different AWS account.

EXPERT
Leo K
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions