AWS Lambda(通过 Terraform)无法从复制的 ECR 中提取映像

问题描述 投票:0回答:1

我在 

ap-south-1
中有一个 ECR 存储库,它被复制到 
us-west-1
。复制正确完成,并且之前是通过 CLI 完成的;我可以看到图像正在同步并且也能够在本地拉取。

当我使用 us-west-1 的 image_uri 创建 AWS Lambda 函数时,它失败并出现以下错误:

creating Lambda Function (my_sample_tmp): operation error Lambda: CreateFunction, https response error StatusCode: 400, RequestID: 310e56ea-e5f7-4f50-a9e5-fcf4555c55f5, InvalidParameterValueException: Source image 12345678910.dkr.ecr.us-west-1.amazonaws.com/my-repo:2-my-tag is not valid. Provide a valid source image.

Terraform 的 AWS Lambda 代码是

  count         = length(keys(var.app_clients_config))
  function_name = "${var.app_name}_${var.server_name}_${var.app_environment}_${element(keys(var.app_clients_config), count.index)}"
  description   = "c360 Data Beacon function to process insights & alerts"
  timeout       = 50 # seconds
  image_uri     = "${var.aws_account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/${var.aws_registry_image_name}:${var.app_data_beacon_version}"
  package_type  = "Image"

  role = var.aws_iam_role_lambda_exec_role_arn
  environment {
    variables = {
      ENVIRONMENT = var.app_environment,
      CLIENT      = element(keys(var.app_clients_config), count.index)
    }
  }
}

IAM 政策文件是

  statement {
    sid    = "AllowInvokingLambdas"
    effect = "Allow"

    resources = [
      "arn:aws:lambda:*:*:function:*"
    ]

    actions = [
      "lambda:InvokeFunction"
    ]
  }

  statement {
    sid    = "AllowECRAccessForLambda"
    effect = "Allow"

    resources = ["*"]

    actions = [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:DescribeRepositories",
      "ecr:ListImages"
    ]
  }

  statement {
    sid    = "AllowECRAuthTokenForLambda"
    effect = "Allow"

    resources = ["*"]

    actions = [
      "ecr:GetAuthorizationToken"
    ]
  }

  statement {
    sid    = "AllowWritingLogs"
    effect = "Allow"

    resources = [
      "arn:aws:logs:*:*:log-group:/aws/lambda/*:*"
    ]

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
  }

  statement {
    sid    = "AccessSecrets"
    effect = "Allow"

    resources = [
      "*"
    ]

    actions = [
      "secretsmanager:DescribeSecret",
      "secretsmanager:GetSecretValue",
    ]
  }

}```


**It works well from the UI, but not via Terraform**
amazon-web-services aws-lambda terraform amazon-ecr
1个回答
0
投票

根据文档

对于与 Amazon ECR 中的容器映像位于同一账户中的函数,您可以将 

ecr:BatchGetImage
ecr:GetDownloadUrlForLayer
权限添加到您的 Amazon ECR 存储库策略。以下示例显示了最低策略:

{
    "Sid": "LambdaECRImageRetrievalPolicy",
    "Effect": "Allow",
    "Principal": {
      "Service": "lambda.amazonaws.com"
    },
    "Action": [
      "ecr:BatchGetImage",
      "ecr:GetDownloadUrlForLayer"
    ]
}

当您在 UI 中执行此操作时,他们会为您更新存储库的策略。

您能否确认您的 ECR 存储库具有此 Poilcy?

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.