- Newest
- Most votes
- Most comments
The service principal lambda.amazonaws.com doesn't reside inside your AWS Organizations org, so the aws:Principal* condition keys won't work with it. You'll need to use aws:SourceOrgID
instead. That key checks the org on whose behalf the service principal is acting.
You could try this condition restriction in the repository policy, combined with the service principal lambda.amazonaws.com, if that's the identity under which ECR is accessed:
"Condition": {
"StringEquals": {
"aws:SourceOrgID": "o-xxxxxxxxxxx"
}
}
If ECR is accessed by an IAM role in each of your member accounts, then you'll need to set the Principal
element (not the service principal) to a *
wildcard and set the condition block to:
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
If creating the Lambda function in the member account is returning an error, then I suggest you check which principal is trying to create the function. If you aren't sure, you should see it easily in CloudTrail events in the region where the function is attempted to be created. If the principal is an IAM role, the IAM policies attached to the role will also need to allow access to your ECR repository, because it resides in a different AWS account.
Relevant content
- asked a year ago
- Accepted Answerasked 2 months ago
- Accepted Answerasked 2 years ago
- asked 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 9 months ago