So I’m trying to create a Lambda which needs to run inside a container. I followed this doc.
Based on the documentation I’ve created a serverless.yml which looks like this:
provider:
name: aws
ecr:
images:
fileimage:
path: src/main/files # folder with Dockerfile
functions:
file-upload:
image:
name: fileimage
command:
- lambda_function.upload
Dockerfile:
FROM public.ecr.aws/lambda/python:3.8
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
COPY lambda_function.py ./
COPY lib ./lib
This code seems to be working when performing serverless package. It creates an ECR repo and pushes an image using the Dockerfile. But when I try to perform serverless deploy I get:
Serverless Error ----------------------------------------
An error occurred: FileDashuploadLambdaFunction - Resource handler returned message: "Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: Lambda, Status Code: 403, Request ID: 320b99c8-f0bb-4974-a8bc-0b0d0b12cd0d, Extended Request ID: null)" (RequestToken: f1718b7a-08db-614f-6099-92dfb327d7ea, HandlerErrorCode: AccessDenied).
My quick Google search led me to the solution. I had to add permissions to the ECR repo manually:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "LambdaECRImageRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DeleteRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy"
]
}
]
}
For my use case I have a pipeline where I setup an entire infrastructure using terraform and serverless, perform some testing and destroy the entire infra. So knowing this I really want to avoid adding the permissions manually to the repo.
Is there a way I can add these permissions automatically to the created ECR repo ?
That’s interesting, we didn’t run into it during testing so far. Could you please report it as an issue here: