Issue
I try to use an ECR image via AWS lambda. AWS keeps saying that my image is invalid, without any further information.
Steps taken
I created a docker image based on the default AWS python image:
FROM public.ecr.aws/lambda/python:3.10
COPY catalog_sidecar.py ${LAMBDA_TASK_ROOT}
CMD [ "catalog_sidecar.lambda_handler" ]
The python file is in the image and the callback handler is correct. I checked that.
I ensured the image is pushed to ECR.
I ensured the correct cross account access policy on the central ECR we use. Regions are correct. account IDs - replaced with **** in code snipped - are correct.
{
"Sid": "permit-test",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*****:root"
},
"Action": "ecr:*"
},
{
"Sid": "permit-test-lambdas",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "ecr:*",
"Condition": {
"StringLike": {
"aws:sourceArn": "arn:aws:lambda:eu-west-1:*****:function:*"
}
}
}
I moved even to full ECR access to rule issues out with the policy granularity.
Result
When I try to use the image out of the UI our out of terraform, the result is always the same
Source image ***.dkr.ecr.eu-central-1.amazonaws.com/service-catalog-sidecar@sha256:*** is not valid. Provide a valid source image.
I tried both with sha256 hash as well as with tag name version of the URI.
Question
I checked multiple instructions and tutorials and they all seem to be aligned with what I did. I am looking for advice how to proceed with that issue.
I believe your issue with with regions. Your lambda is in eu-west-1 but your image is in eu-central-1 - I have not tested with cross account but within the same account your image must be in same region.