Lambda没有访问ECR图像的权限 [英] Lambda does not have permission to access the ECR image

问题描述

在最近发布的用于 Lambda 功能的Docker映像中，我决定使用 CloudFormation 尝试该功能.

With the recent release of Docker Images for Lambda functions, I've decided to try out this functionality using CloudFormation.

因此，下面的lambda会考虑存储在 Elastic Container Registry 中的docker映像，并具有按照

So, the lambda below considers a docker image stored in Elastic Container Registry, with permissions to access the image following the examples in the documentation.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image

Globals:
  Function:
    Timeout: 180

Resources:
  DockerAsImage:
    Type: AWS::Serverless::Function 
    Properties:
      FunctionName: DockerAsImage
      ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
      PackageType: Image
      Policies: 
        - Version: '2012-10-17' 
          Statement:
            - Effect: Allow
              Action: 
                - ecr:*
                - ecr-public:*
                - sts:GetServiceBearerToken
              Resource: "*"
      Events:
        HelloWorld:
          Type: Api
          Properties:
            Path: /hello
            Method: post

我正在使用 sam 通过

us-west-2 部署模板

I'm using sam to deploy the template in us-west-2 with

sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload  --no-confirm-changeset

但是，成功创建 IAM 角色后， Lambda 函数无法创建，并出现以下错误

However, just after the IAM Role is succesfuly created, the Lambda function fails to create with the following error

Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;

即使该角色有权访问任何 ecs 资源.我尝试过的另一种方法是创建一个单独的角色，然后通过 Role:！GetAtt Role.Arn 将其分配给lambda，这种方法也行不通.

even though the role has access to any ecs resource. Another way I've tried is to create a separate role and assigned it to lambda through Role: !GetAtt Role.Arn, this approach doesn't work too.

推荐答案

基于评论.

要使用基于图像的lambda，需要ICR权限的是IAM用户/角色，而不是功能本身.来自文档:

To use image-based lambdas, it is the IAM user/role that requires ECR permissions, not the function itself. From docs:

确保用于创建功能的AWS Identity and Access Management(IAM)用户或角色的权限包含AWS托管策略 GetRepositoryPolicy 和 SetRepositoryPolicy.

Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.

除了上面列出的两个权限外，还需要 ecr:InitiateLayerUpload .

In addition to the two permissions listed above, the ecr: InitiateLayerUpload is also needed.

这篇关于Lambda没有访问ECR图像的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！