Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I resolve the "Lambda does not have permission to access the ECR image" error for a Lambda function container image?
I tried to create an AWS Lambda function with a container image. However, I received an Amazon Elastic Container Registry (Amazon ECR) permission error similar to the following: "Lambda does not have permission to access the ECR image. Check the ECR permissions"
Short description
To create a Lambda function from a container image, you must configure AWS Identity and Access Management (IAM) polices that allow access. The IAM user or role that creates the function and Amazon ECR repository must have permissions that allow access.
Note: Before you create the Lambda function, first create a Lambda container image. Then, upload the image to an Amazon ECR repository.
Resolution
Follow the steps to set a private repository policy statement in Amazon ECR. Then, add a policy statement to create a Lambda function from the Amazon ECR image URI in the same AWS account or cross-account.
Note: It's a best practice to grant least privilege permissions with IAM policies.
Add a policy statement in the same account
In the following policy, Amazon ECR repository permissions must allow the ecr:BatchGetImage and ecr:GetDownloadUrlForLayer API actions access to the Lambda service.
Example Amazon ECR repository policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LambdaECRImageRetrievalPolicy", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] } ] }
Important: If the Amazon ECR repository doesn't include the preceding permissions, then Lambda adds them automatically. Lambda can add permissions only if the principal calling Lambda has ecr:getRepositoryPolicy and ecr:setRepositoryPolicy permissions. For more information, see Amazon ECR repository policies.
Add a policy statement in a cross-account
The user or role that creates or updates the Lambda function must have ecr:BatchGetImage and ecr:GetDownloadUrlForLayer permissions to the ECR repository.
In the following policy, the Lambda functions created in the account 111111111111 and the Amazon ECR repository is in the account 222222222222.
Example IAM policy that allows the user or role access to the cross-account Amazon ECR repository:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRRepositoryAccessPermissions", "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:us-east-1:222222222222:repository/your-repository" } ] }
Note: Replace arn:aws:ecr:us-east-1:222222222222:repository/your-repository with your ECR repository resource Amazon Resource Name (ARN).
In the following example, the CrossAccountPermission statement allows account 111111111111 to create and update Lambda functions that use images from the Amazon ECR repository.
Example Amazon ECR repository cross-account policy allows the Lambda function to retrieve the container image:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CrossAccountPermission", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:root" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] }, { "Sid": "LambdaECRImageCrossAccountRetrievalPolicy", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Condition": { "StringLike": { "aws:sourceARN": "arn:aws:lambda:us-east-1:111111111111:your-function:*" } } } ] }
Note: Replace arn:aws:ecr:us-east-1:222222222222:repository/your-repository with your Lambda function ARN.
For more information, see Amazon ECR cross-account permissions.
Related information
Wouldn't this ECR Policy basically authorize ANY AWS Lambda function on my account to access the ECR repository?
Relevant content
- asked 2 years ago
- asked 5 days ago
