Required ECR Permissions for Using Docker Containers with Lambda

AWS Lambda allows you to run your own Docker images.

When we attempted to run it, the following error occurred:

INIT_REPORT Init Duration: 48.73 ms Phase: init Status: error Error Type: Runtime.ExitError
INIT_REPORT Init Duration: 19.69 ms Phase: invoke Status: error Error Type: Runtime.ExitError
START RequestId: 12345678-abcd-1234-abcd-123456789012 Version: $LATEST
RequestId: 12345678-abcd-1234-abcd-123456789012 Error: Runtime exited without providing a reason Runtime.ExitError
END RequestId: 12345678-abcd-1234-abcd-123456789012
REPORT RequestId: 12345678-abcd-1234-abcd-123456789012 Duration: 21.27 ms Billed Duration: 22 ms Memory Size: 2048 MB Max Memory Used: 6 MB

Detailed Issue

The error type is Runtime.ExitError, and the message is Error: Runtime exited without providing a reasonRuntime.ExitError.

Investigations on AWS re:Post (AWS’s official forum) suggest the following potential causes:

  • The function’s code contains explicit exit codes such as process.exit(0), exit(), quit(), os.Exit(), or Environment.Exit().
  • Insufficient memory.
  • Too many database connections.
  • Attempting to reuse idle connections.
  • Hitting the limit on file descriptors or thread counts.

This suggests runtime errors were occurring, as indicated by the error message, although no such issues were present in my environment.

Root Cause

The actual issue was that Lambda could not access the ECR where the container image was stored. The necessary steps were clearly mentioned in the official documentation (Amazon ECR permissions). Overlooking the need for an ECR repository policy was a key oversight. Additionally, it was confusing that the error was labeled as Runtime.ExitError instead of something more indicative of a permissions issue.

So, after setting the following ECR repository policy, everything worked smoothly.

{
   "Sid": "LambdaECRImageRetrievalPolicy",
   "Effect": "Allow",
   "Principal": {
	 "Service": "lambda.amazonaws.com"
   },
   "Action": [
	 "ecr:BatchGetImage",
	 "ecr:GetDownloadUrlForLayer"
   ]
}

A point of caution, though, is that it didn’t work immediately after setting the policy. This might have been due to a caching issue. Despite redeploying the function, the error persisted, leading me to recreate the function entirely. There might have been a chance that waiting a while would have resolved it.

Summary

If you encounter a Runtime.ExitError with custom container images in Lambda, consider a possible permission error in retrieving the image from ECR, rather than solely a runtime error caused by the code. If it seems like there’s no issue with the code when a runtime error is reported, consider checking if Lambda has access to ECR (and make sure to thoroughly read the official documentation).

Last updated on May 4, 2024

ads.

Built with Hugo
Theme Stack designed by Jimmy