With the recent release of Docker Images for Lambda functions, I've decided to try out this functionality using CloudFormation.
So, the lambda below considers a docker image stored in Elastic Container Registry, with permissions to access the image following the examples in the documentation.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image
Globals:
Function:
Timeout: 180
Resources:
DockerAsImage:
Type: AWS::Serverless::Function
Properties:
FunctionName: DockerAsImage
ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
PackageType: Image
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:*
- ecr-public:*
- sts:GetServiceBearerToken
Resource: "*"
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: post
I'm using sam to deploy the template in us-west-2 with
sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload --no-confirm-changeset
However, just after the IAM Role is succesfuly created, the Lambda function fails to create with the following error
Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
even though the role has access to any ecs resource. Another way I've tried is to create a separate role and assigned it to lambda through Role: !GetAtt Role.Arn, this approach doesn't work too.
Based on the comments.
To use image-based lambdas, it is the IAM user/role that requires ECR permissions, not the function itself. From docs:
Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.
In addition to the two permissions listed above, the ecr: InitiateLayerUpload is also needed.