- Newest
- Most votes
- Most comments
According to the Developer Guide, you should ensure that the permissions for the IAM user or role that creates the function contain the AWS managed policies GetRepositoryPolicy
and SetRepositoryPolicy
.
{ "Effect": "Allow", "Action": [ "ecr:SetRepositoryPolicy", "ecr:GetRepositoryPolicy" ], "Resource": "arn:aws:ecr:<region>:<account>:repository/<repo name>/" }
These permissions are not set for your IAM user, according to the list you provided.
Alternatively, for a function in the same account as the container image in Amazon ECR, you can add ecr:BatchGetImage
and ecr:GetDownloadUrlForLayer
permissions to your Amazon ECR repository. It is unclear from your question, but it seems you granted these permissions to the IAM user that creates the function instead. However, the permissions should be granted to the AWS Lambda service as shown below:
{ "Sid": "LambdaECRImageRetrievalPolicy", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] }
To view or edit your Amazon ECR repository permissions, follow the directions in Setting a repository policy statement.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Hey Dmitry, you were correct and I did add those to the IAM user and not the ECR Repository. I went back and added those to the repository permissions and added the GetRepositoryPolicy and SetRepositoryPolicy policies to the IAM role creating the Lambda. However, I am still getting the same error. Do you have any other ideas as to what could be causing this? Thanks again!
There might be several reasons for that. Do you use MFA? You might need to authenticate with AWS CLI using MFA. If your Account is part of an AWS Organization, check if there are any restricting SCPs. Also, check if there are any permission boundaries attached to your IAM user or role. You might also try the troubleshooting options described in the documentation and in this knowledge base post.
No I don't use MFA and I'm also not a part of any AWS Organization. Also double checked and my IAM user doesn't have any permission boundaries set. I looked through that documentation already but the error I get doesn't match any of those so I wasn't able to get much from it. That post was super helpful in seeing all the access denied errors; however, for some reason, it isn't showing the access denied related to my create function call. I made sure to set the date/time appropriately and made a call to the createFunction function but nothing was reported in Cloudtrails, which I think is odd.