(docs) lambda controller requires ecr:BatchGetImage IAM permissions #1641
Description
Describe the bug
After deploying the ACK Lambda Controller to an EKS cluster with the recommended IAM policy (https://github.com/aws-controllers-k8s/lambda-controller/blob/2771d6a2dc74091e79aee5ba242351c8fdd4e892/config/iam/recommended-inline-policy), the controller fails to create a Lambda referencing a Docker image within an ECR repository in another AWS account.
The error message that I see in CloudTrail looks like this:
User: arn:aws:sts::${ACCOUNT_ONE}:assumed-role/ack-lambda-controller-role/*** is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-west-2:${ACCOUNT_TWO}:repository/example/hello-world-lambda because no identity-based policy allows the ecr:BatchGetImage action
The solution is to grant this IAM role permissions to perform ecr:BatchGet*. After this, everything works as expected.
Environment
- Kubernetes version:
Server Version: version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.13-eks-fb459a0", GitCommit:"55bd5d5cb7d32bc35e4e050f536181196fb8c6f7", GitTreeState:"clean", BuildDate:"2022-10-24T20:35:40Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"} - Using EKS (yes/no), if so version? Yes, see above
- AWS service targeted (S3, RDS, etc.) Lambda