0

I'm using a docker image on AWS lambda. In my dockerfile, I've installed an executable (the pulumi cli tool) and confirmed successful installation by running RUN pulumi -version.

When I try to invoke this executable through my lambda, I get permission denied errors from python Popen:

2023-01-25T14:41:45 ws = pulumi.automation.LocalWorkspace(work_dir="/tmp/", pulumi_home="/tmp/.pulumi")
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/site-packages/pulumi/automation/_local_workspace.py", line 125, in __init__
2023-01-25T14:41:45 pulumi_version = self._get_pulumi_version()
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/site-packages/pulumi/automation/_local_workspace.py", line 411, in _get_pulumi_version
2023-01-25T14:41:45 result = self._run_pulumi_cmd_sync(["version"])
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/site-packages/pulumi/automation/_local_workspace.py", line 430, in _run_pulumi_cmd_sync
2023-01-25T14:41:45 return _run_pulumi_cmd(args, self.work_dir, envs, on_output)
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/site-packages/pulumi/automation/_cmd.py", line 55, in _run_pulumi_cmd
2023-01-25T14:41:45 with subprocess.Popen(
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/site-packages/sentry_sdk/integrations/stdlib.py", line 193, in sentry_patched_popen_init
2023-01-25T14:41:45 rv = old_popen_init(self, *a, **kw)  # type: ignore
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/subprocess.py", line 951, in __init__
2023-01-25T14:41:45 self._execute_child(args, executable, preexec_fn, close_fds,
2023-01-25T14:41:45 File "/var/lang/lib/python3.9/subprocess.py", line 1821, in _execute_child
2023-01-25T14:41:45 raise child_exception_type(errno_num, err_msg, err_filename)
2023-01-25T14:41:45 PermissionError: [Errno 13] Permission denied: 'pulumi'[INFO]

I think this is a generic lambda permissions issue, but some extra context in case it is helpful: I'm using the pulumi-python library, which invokes this pulumi cli app via subprocess.

How can I ensure that things I install in my Dockerfile are executable by the lambda user?

Directions I tried:

  • chmod -R a+wrx /root/.pulumi - this command runs ok but I still get the permission error when trying to invoke the executable
  • I notice that my lambda user is sbx_user1051, so I tried to chown -R sbx_user1051 /root/.pulumi - this fails, saying there is no such user. That makes it seem like the lambda user is created after I deploy my docker image
Improve this question
1
  • What is the specific error you're getting (or, how do you know that /root/.pulumi is the problem)? What does your Dockerfile look like? Commented Jan 24, 2023 at 16:43

1 Answer 1

Reset to default
0

In the end I resolved this by moving the installation out of the /root folder into the folder lambda uses as the workspace for task execution:

FROM public.ecr.aws/lambda/python:3.9-x86_64

RUN yum install -y \
    tar \
    gzip \
    ca-certificates \
    curl \
    which \
    && yum clean all

# install pulumi - this will go to the current user's home: /root
RUN curl -fsSL https://get.pulumi.com | sh

# move pulumi to the lambda function's task root folder
RUN mv /root/.pulumi/ ${LAMBDA_TASK_ROOT} 

# grant appropriate permissions
RUN chmod -R a+wrx ${LAMBDA_TASK_ROOT}/.pulumi

RUN chmod a+x ${LAMBDA_TASK_ROOT}/.pulumi/bin/pulumi

# add to path
ENV PATH="${PATH}:${LAMBDA_TASK_ROOT}/.pulumi/bin"

...
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.