Lambda 没有访问 ECR 图像的权限
Lambda does not have permission to access the ECR image
最近发布了 Docker Images for Lambda functions,我决定使用 CloudFormation.
来尝试这个功能
因此,下面的 lambda 考虑存储在 Elastic Container Registry 中的 docker 图像,并有权按照 documentation.
中的示例访问该图像
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image
Globals:
Function:
Timeout: 180
Resources:
DockerAsImage:
Type: AWS::Serverless::Function
Properties:
FunctionName: DockerAsImage
ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
PackageType: Image
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:*
- ecr-public:*
- sts:GetServiceBearerToken
Resource: "*"
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: post
我正在使用 sam 在 us-west-2 中使用
部署模板
sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload --no-confirm-changeset
然而,IAM角色创建成功后,Lambda函数创建失败,出现如下错误
Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
即使该角色可以访问任何 ecs 资源。我尝试过的另一种方法是创建一个单独的角色并通过Role: !GetAtt Role.Arn将其分配给lambda,这种方法也行不通。
根据评论。
要使用基于图像的 lambda,需要 ECR 权限的是 IAM user/role,而不是函数本身。来自 docs:
Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.
除了上面列出的两个权限,还需要ecr: InitiateLayerUpload。
为用于 Lambda 函数部署的角色或用户创建内联策略。这会添加与 ECR 私有存储库交互所需的所有权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}
]
}
您必须将以下策略添加到您的用户和将关联到 AWS Lambda 的角色。此策略启用 ECR 操作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:UploadLayerPart",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:PutImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
我在所有必需的 AWS lambda 策略都已到位时遇到了同样的问题。对我有帮助的是在 ECR
中添加权限
{
"Sid": "LambdaECRImageRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
虽然 aws 还说如果 lambda 有政策(ecr:getRepositoryPolicy 和 ecr:setRepositoryPolicy)那么我们不需要在 ECR 中添加权限 lambda 会自动做到这一点。
If the Amazon ECR repository does not include these permissions, Lambda adds ecr:BatchGetImage and ecr:GetDownloadUrlForLayer to the container image repository permissions. Lambda can add these permissions only if the Principal calling Lambda has ecr:getRepositoryPolicy and ecr:setRepositoryPolicy permissions.
要使帐户 22222222222 中的 lambda 使用 11111111111 中的 ECR 映像,则需要遵循 https://aws.amazon.com/blogs/compute/introducing-cross-account-amazon-ecr-access-for-aws-lambda/
最重要的 IAM 部分是在 11111111111 存储库上设置以下存储库策略:
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: CrossAccountPermission
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
AWS:
- arn:aws:iam::222222222222:root
- Sid: LambdaECRImageCrossAccountRetrievalPolicy
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
Service: lambda.amazonaws.com
Condition:
StringLike:
aws:sourceArn:
- arn:aws:lambda:us-east-1:222222222222:function:*
最近发布了 Docker Images for Lambda functions,我决定使用 CloudFormation.
因此,下面的 lambda 考虑存储在 Elastic Container Registry 中的 docker 图像,并有权按照 documentation.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: lambda-docker-image
Globals:
Function:
Timeout: 180
Resources:
DockerAsImage:
Type: AWS::Serverless::Function
Properties:
FunctionName: DockerAsImage
ImageUri: ??????????????.dkr.ecr.us-west-2.amazonaws.com/????:latest
PackageType: Image
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:*
- ecr-public:*
- sts:GetServiceBearerToken
Resource: "*"
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: post
我正在使用 sam 在 us-west-2 中使用
sam deploy -t template.yaml --capabilities "CAPABILITY_NAMED_IAM" --region "us-west-2" --stack-name "lambda-docker-example" --s3-bucket "my-bucket" --s3-prefix "sam_templates/lambda-docker-example" --force-upload --no-confirm-changeset
然而,IAM角色创建成功后,Lambda函数创建失败,出现如下错误
Lambda does not have permission to access the ECR image. Check the ECR permissions. (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
即使该角色可以访问任何 ecs 资源。我尝试过的另一种方法是创建一个单独的角色并通过Role: !GetAtt Role.Arn将其分配给lambda,这种方法也行不通。
根据评论。
要使用基于图像的 lambda,需要 ECR 权限的是 IAM user/role,而不是函数本身。来自 docs:
Make sure that the permissions for the AWS Identity and Access Management (IAM) user or role that creates the function contain the AWS managed policies GetRepositoryPolicy and SetRepositoryPolicy.
除了上面列出的两个权限,还需要ecr: InitiateLayerUpload。
为用于 Lambda 函数部署的角色或用户创建内联策略。这会添加与 ECR 私有存储库交互所需的所有权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}
]
}
您必须将以下策略添加到您的用户和将关联到 AWS Lambda 的角色。此策略启用 ECR 操作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:SetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:UploadLayerPart",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:PutImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
我在所有必需的 AWS lambda 策略都已到位时遇到了同样的问题。对我有帮助的是在 ECR
中添加权限{
"Sid": "LambdaECRImageRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
虽然 aws 还说如果 lambda 有政策(ecr:getRepositoryPolicy 和 ecr:setRepositoryPolicy)那么我们不需要在 ECR 中添加权限 lambda 会自动做到这一点。
If the Amazon ECR repository does not include these permissions, Lambda adds
ecr:BatchGetImageandecr:GetDownloadUrlForLayerto the container image repository permissions. Lambda can add these permissions only if the Principal calling Lambda hasecr:getRepositoryPolicyandecr:setRepositoryPolicypermissions.
要使帐户 22222222222 中的 lambda 使用 11111111111 中的 ECR 映像,则需要遵循 https://aws.amazon.com/blogs/compute/introducing-cross-account-amazon-ecr-access-for-aws-lambda/
最重要的 IAM 部分是在 11111111111 存储库上设置以下存储库策略:
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: CrossAccountPermission
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
AWS:
- arn:aws:iam::222222222222:root
- Sid: LambdaECRImageCrossAccountRetrievalPolicy
Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Principal:
Service: lambda.amazonaws.com
Condition:
StringLike:
aws:sourceArn:
- arn:aws:lambda:us-east-1:222222222222:function:*