AWS Lambda from cross account ECR : Lambda does not have permission to access the ECR image

Question

I'm trying to create a lambda function in account B from an ECR Image from another account A but i'm encountering a Lambda does not have permission to access the ECR image error.

I created the following ECR policy following this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrossAccountPermission",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::BBBBBBBBBBBB:root"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Condition": {
        "StringLike": {
          "aws:sourceArn:": "arn:aws:lambda:eu-west-1:BBBBBBBBBBBB:function:*"
        }
      }
    }
  ]
}

I'm using aws sso assumed role to perform the lambda creation, i don't know if this has an impact.

Account B and A are not in the same AWS Organization unit.

Things i tested :

If i remove the condition from the statement targeting the lambda service, the error goes away, but obviously it's not a permanent solution.
Running an ECS Task using the same ECR image in account B works fine.
I tried following the SAM tutorial here and i encountered the same issue.

I'm running out of things to check and i would really like to avoid copying the ECR image in account B.

Do you have any idea why the example policy doesn't seem to work ?

How can i narrow the policy from everything coming from the lambda service ? I was planning to use aws:PrincipalOrgPaths to allow multiple organization units but this doesn't seem to work with the lambda principal.

Everything looks correct to me. Are you sure the Lambda function is deploying in `eu-west-1`? — Mark B, Mar 12 '22 at 21:18
yes i was using `eu-west-1` although i was also using `"aws:sourceArn:":` instead of `"aws:sourceArn":`... sorry to have made you lose some time... — GuillaumeK, Mar 12 '22 at 21:35
Still looking for a way to allow filter using `PrincipalOrgPaths` though — GuillaumeK, Mar 12 '22 at 21:37
No problem, glad you spotted it. Those little typos can be difficult to see. — Mark B, Mar 12 '22 at 23:37

Greg Junge · Answer 1 · 2022-07-14T22:14:19.857

I spent way too much time on this today so hopefully it helps someone else, but I finally was able to share images with entire org using the following repository policy...

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrossOrgPermission",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalOrgID": "x-xxxxxxxxx"
        }
      }
    },
    {
      "Sid": "LambdaECRImageCrossOrgRetrievalPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Condition": {
        "StringLike": {
          "aws:ResourceOrgID": "x-xxxxxxxxx"
        }
      }
    }
  ]
}

My CrossOrgPermission is a little more broad than what is here, but I believe it should still work as shown.

This works. Thanks. It was a godsend. – Theodore Cowan Apr 26 '23 at 20:40 — Theodore Cowan, Apr 26 '23 at 20:40

score 1 · Answer 2 · edited Mar 13 '22 at 12:34

1

As I stated in my comment, it was a dumb typo, as is often the case with policies.

I used "aws:sourceArn:": instead of "aws:sourceArn": ...

edited Mar 13 '22 at 12:34

ouflak

2,458
10
44
49

answered Mar 12 '22 at 21:39

GuillaumeK

61
1
3

score 1 · Answer 3 · answered Jun 23 '22 at 07:58

1

You can use aws:ResourceOrgID

This is new feature https://aws.amazon.com/jp/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/

answered Jun 23 '22 at 07:58

hiroqn

11
1

score 0 · Answer 4 · edited Jan 02 '23 at 16:21

aws:ResourceOrgID will not do what is required in this case. Even worse, it will open your ECR for access to any lambda in any account.

The AWS blog describes aws:ResourceOrgID as "AWS organization ID of the resource being accessed". This condition is always true, because the resource being accessed - your ECR - belongs to your organization. It does not say anything about the lambda that accesses ECR.

Further, in my communication with AWS support they have confirmed that using aws:PrincipalOrgId does not work as well. Quoting their response:

When permissions are being granted to service principles like "lambda.amazonaws.com" they do not support PrincipleOrgPaths or PrincipalOrgId condition keys. This is because the Lambda service principal does not exist within an organization, while an identity like a user/role does.

The only way to make it work is to use the aws:SourceARN condition key, explicitely mentioning each lambda, which is going to access your ECR.

AWS Lambda from cross account ECR : Lambda does not have permission to access the ECR image

4 Answers4