Lambda没有访问ECR图像的权限 [英] Lambda does not have permission to access the ECR image
问题描述
在最近发布的用于 Lambda
功能的Docker映像中,我决定使用 CloudFormation
尝试该功能.
With the recent release of Docker Images for Lambda
functions, I've decided to try out this functionality using CloudFormation
.
因此,下面的lambda会考虑存储在 Elastic Container Registry
中的docker映像,并具有按照
So, the lambda below considers a docker image stored in Elastic Container Registry
, with permissions to access the image following the examples in the documentation.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image
Globals:
Function:
Timeout: 180
Resources:
DockerAsImage:
Type: AWS::Serverless::Function
Properties:
FunctionName: DockerAsImage
ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
PackageType: Image
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:*
- ecr-public:*
- sts:GetServiceBearerToken
Resource: "*"
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: post
我正在使用 sam
通过
us-west-2 部署模板
I'm using sam
to deploy the template in us-west-2
with
sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload --no-confirm-changeset
但是,成功创建 IAM
角色后, Lambda
函数无法创建,并出现以下错误
However, just after the IAM
Role is succesfuly created, the Lambda
function fails to create with the following error
Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
即使该角色有权访问任何 ecs
资源.我尝试过的另一种方法是创建一个单独的角色,然后通过 Role:!GetAtt Role.Arn
将其分配给lambda,这种方法也行不通.
even though the role has access to any ecs
resource. Another way I've tried is to create a separate role and assigned it to lambda through Role: !GetAtt Role.Arn
, this approach doesn't work too.
推荐答案
基于评论.
要使用基于图像的lambda,需要ICR权限的是IAM用户/角色,而不是功能本身.来自文档:>
To use image-based lambdas, it is the IAM user/role that requires ECR permissions, not the function itself. From docs:
确保用于创建功能的AWS Identity and Access Management(IAM)用户或角色的权限包含AWS托管策略 GetRepositoryPolicy 和 SetRepositoryPolicy.
Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.
除了上面列出的两个权限外,还需要 ecr:InitiateLayerUpload
.
In addition to the two permissions listed above, the ecr: InitiateLayerUpload
is also needed.
这篇关于Lambda没有访问ECR图像的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!