Container support for Lambda creating repo without permissions in ECR

So I’m trying to create a Lambda which needs to run inside a container. I followed this doc.

Based on the documentation I’ve created a serverless.yml which looks like this:

  name: aws
        path: src/main/files # folder with Dockerfile
      name: fileimage
        - lambda_function.upload



COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt

COPY lib ./lib

This code seems to be working when performing serverless package. It creates an ECR repo and pushes an image using the Dockerfile. But when I try to perform serverless deploy I get:

Serverless Error ----------------------------------------
An error occurred: FileDashuploadLambdaFunction - Resource handler returned message: "Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: Lambda, Status Code: 403, Request ID: 320b99c8-f0bb-4974-a8bc-0b0d0b12cd0d, Extended Request ID: null)" (RequestToken: f1718b7a-08db-614f-6099-92dfb327d7ea, HandlerErrorCode: AccessDenied).

My quick Google search led me to the solution. I had to add permissions to the ECR repo manually:

  "Version": "2008-10-17",
  "Statement": [
      "Sid": "LambdaECRImageRetrievalPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": [

For my use case I have a pipeline where I setup an entire infrastructure using terraform and serverless, perform some testing and destroy the entire infra. So knowing this I really want to avoid adding the permissions manually to the repo.

Is there a way I can add these permissions automatically to the created ECR repo ?

Hello @VincentHuysmans1 :wave: That’s interesting, we didn’t run into it during testing so far. Could you please report it as an issue here: ?

Hi, I forgot about this question. I managed to solve the issue and the solution was not serverless related. I was running the script using AWS CodeBuild. The role of the CodeBuild project was missing some permissions. The missing policy was:

"Sid": "ECRPermissions",
            "Effect": "Allow",
            "Resource": [
1 Like

Thanks for clarification @VincentHuysmans1