## AWS Lambda Cross-account ECR sample

This project contains two [AWS
SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-started.html)
applications used to demonstrate cross-account access for AWS ECR images with AWS Lambda.

- `sam-ecr-repo` - SAM Application which creates an ECR Repository and adds cross-account
  permissions for another account, or list of accounts.
- `sam-cross-account-lambda` - SAM application which creates an API Gateway endpoint that integrates
  with a AWS Lambda function which references the container image in the `sam-ecr-repo`

In this example, the AWS Account IDs are setup as follows:

- `111111111111` - The account which will own the ECR repo and build/push container images (in
  `sam-ecr-repo`).
- `222222222222` - This account will create a Lambda function which references the images in ECR
  Repository created by Account 111111111111.

## Getting started

**Note**, this assumes you have [installed and configured AWS
SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-started.html)

### Create the ECR Repository

Deploy the SAM application in the `sam-ecr-repo` directory.

Update the `template.yml` file with the AWS Account ID that you would like to allow access. Remove
the references to placeholded Account id, `222222222222` with the real AWS Account Id.

If you would to allow access from multiple accounts simply new entry. As an example, to allow
Accounts 222222222222 and 333333333333 acccess, the policy statement would include the following.

    Condition:
      StringLike:
        aws:sourceArn:
          - arn:aws:lambda:us-east-1:222222222222:function:*
          - arn:aws:lambda:us-east-1:333333333333:function:*

and

    Principal:
      AWS:
        - arn:aws:iam::222222222222:root
        - arn:aws:iam::333333333333:root

Once you have made updates, deploy the stack using AWS SAM.

```bash
$ cd sam-ecr-repo
$ sam build
$ sam deploy --guided
```

Take note of the `ERCRepositoryUri` value from the SAM output.

```
----------------------------------------------------------------------------------------
Output
----------------------------------------------------------------------------------------
Key                 ERCRepositoryUri
Description         ECR RepositoryUri which may be referenced by Lambda functions
Value               111111111111.dkr.ecr.us-east-1.amazonaws.com/cross-account-function
```

### Build and push the container image

After creating the ECR Repository, build the image and push it to ECR. Ensure you are in the
`sam-ecr-repo` directory.

#### Using `make`

If you have `make` available, you can update the `Makefile` with your `ACCOUNT_ID` and preferred
AWS `REGION`. Once you have made those changes in the `Makefile`, build and push the image.

```bash
$ cd sam-cross-account-lambda
$ make build
$ make login
$ make deploy
```

#### Using the AWS CLI

you can build the container image and pushing to ECR using `docker` and `aws-cli` commands as well.
Replace the AWS Account ID and region accordingly.

```bash
$ # Build the image
$ docker build -t cross-account-function:01 .
$
$ # Login to ECR
$ export REGION=us-east-1
$ export ACCOUNT_ID=111111111111
$ aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com
$
$ # Tag and push the image
$ docker tag cross-account-function:01 $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/cross-account-function:01
$ docker push $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/cross-account-function:01
```

### Deploy the Lambda function

These steps will deploy a Lambda function which references the image from prior steps. This should
be done using a different AWS Account and match the Account ID used in prior steps. In this example,
I will be using AWS Account 222222222222

Edit the SAM template in `sam-cross-account-lambda/template.yaml`. The `ImageUri` attribute should
match the `ECRRepositoryUri` output from the first SAM deployment. In this example the `ImageUri` is
set to `111111111111.dkr.ecr.us-east-1.amazonaws.com/cross-account-function:01` which is the ECR
repository name and tag from previous steps.

```bash
$ cd sam-cross-account-lambda
$ # Edit the ImageUri value in template.yaml
$ sam build
$ sam deploy --guided
```

After deployment has finished, use the API endpoint to test the Lambda function.

```text
---------------------------------------------------------------------------------
Outputs
---------------------------------------------------------------------------------
Key            HelloWorldApi
Description    API Gateway endpoint URL for Prod stage for Hello World function
Value          https://12345test.execute-api.us-east-1.amazonaws.com/Prod/hello/
---------------------------------------------------------------------------------
```

```
$ curl -s https://12345test.execute-api.us-east-1.amazonaws.com/Prod/hello/

{"message": "hello world!"}
```

## Security

See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.

## License

This library is licensed under the MIT-0 License. See the LICENSE file.