AWS Lambda 使用 ECR:无效的源镜像

huangapple go评论64阅读模式
英文:

AWS Lambda usage of ECR: Invalid source image

问题

问题

我尝试通过AWS Lambda使用ECR映像。
AWS一直说我的映像无效,但没有提供更多信息。

采取的步骤

我基于默认的AWS Python映像创建了一个Docker映像:

FROM public.ecr.aws/lambda/python:3.10

COPY catalog_sidecar.py ${LAMBDA_TASK_ROOT}

CMD ["catalog_sidecar.lambda_handler"]

Python文件位于映像中,回调处理程序是正确的。我已检查过。

我确保映像已推送到ECR。

我确保在我们使用的中央ECR上具有正确的跨帐户访问策略。区域是正确的。在代码片段中用****替换的帐户ID是正确的。

{
  "Sid": "permit-test",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::*****:root"
  },
  "Action": "ecr:*"
},
{
  "Sid": "permit-test-lambdas",
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": "ecr:*",
  "Condition": {
    "StringLike": {
      "aws:sourceArn": "arn:aws:lambda:eu-west-1:*****:function:*"
    }
  }
}

我甚至转到完全的ECR访问以排除与策略粒度相关的问题。

结果

当我尝试从UI或Terraform中使用映像时,结果总是相同的:

源映像***.dkr.ecr.eu-central-1.amazonaws.com/service-catalog-sidecar@sha256:***无效。请提供有效的源映像。

我尝试了使用sha256哈希和URI的标签名称版本都一样。

问题

我检查了多个说明和教程,它们似乎都与我所做的一致。我正在寻求如何解决这个问题的建议。

英文:

Issue

I try to use an ECR image via AWS lambda.
AWS keeps saying that my image is invalid, without any further information.

Steps taken

I created a docker image based on the default AWS python image:

FROM public.ecr.aws/lambda/python:3.10

COPY catalog_sidecar.py ${LAMBDA_TASK_ROOT}

CMD [ "catalog_sidecar.lambda_handler" ]

The python file is in the image and the callback handler is correct. I checked that.

I ensured the image is pushed to ECR.

I ensured the correct cross account access policy on the central ECR we use. Regions are correct. account IDs - replaced with **** in code snipped - are correct.

{
  "Sid": "permit-test",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::*****:root"
  },
  "Action": "ecr:*"
},
{
  "Sid": "permit-test-lambdas",
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": "ecr:*",
  "Condition": {
    "StringLike": {
      "aws:sourceArn": "arn:aws:lambda:eu-west-1:*****:function:*"
    }
  }
}

I moved even to full ECR access to rule issues out with the policy granularity.

Result

When I try to use the image out of the UI our out of terraform, the result is always the same

Source image ***.dkr.ecr.eu-central-1.amazonaws.com/service-catalog-sidecar@sha256:*** is not valid. Provide a valid source image.

I tried both with sha256 hash as well as with tag name version of the URI.

Question

I checked multiple instructions and tutorials and they all seem to be aligned with what I did. I am looking for advice how to proceed with that issue.

答案1

得分: 0

我认为您的问题与区域有关。您的Lambda位于eu-west-1,但您的镜像位于eu-central-1 - 我尚未在跨帐户测试过,但在同一帐户内,您的镜像必须位于相同的区域。

英文:

I believe your issue with with regions. Your lambda is in eu-west-1 but your image is in eu-central-1 - I have not tested with cross account but within the same account your image must be in same region.

huangapple
  • 本文由 发表于 2023年7月4日 21:41:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/76613251.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定