Deploy Lambda functions with container images - AWS Prescriptive Guidance

Deploy Lambda functions with container images

Created by Ram Kandaswamy (AWS)

Environment: Production

Technologies: Containers & microservices; Business productivity; Cloud-native; Cost management; Software development & testing; Modernization; Serverless

Workload: All other workloads

AWS services: AWS EC2 Container Registry; AWS Lambda


AWS Lambda supports containers images as a deployment model. This pattern shows how to deploy Lambda functions through container images. 

Lambda is a serverless, event-driven compute service that you can use to run code for virtually any type of application or backend service without provisioning or managing servers. With container image support for Lambda functions, you get the benefits of up to 10 GB of storage for your application artifact and the ability to use familiar container image development tools.

Prerequisites and limitations


  • Amazon Elastic Container Registry (Amazon ECR) activated

  • Application code

  • Docker images with the runtime interface client


  • Maximum image size supported is 10 GB.

  • Maximum runtime for a Lambda based container deployment is 15 minutes.


Target technology stack  

  • AWS CodeBuild

  • AWS CodeCommit

  • Docker image

  • Amazon Elastic Container Registry (Amazon ECR)

  • AWS Identity and Access Management (IAM)

  • AWS Lambda

  • Amazon CloudWatch Logs

Target architecture 

Diagram of architecture and five step process.
  1. You create a repository and commit the application code using CodeCommit.

  2. The CodeBuild project is created, using CodeCommit as the source provider.

  3. The CodeBuild run creates the Docker image.

  4. CodeBuild publishes the image to Amazon ECR.

  5. You create the Lambda function using the image in Amazon ECR.

Automation and scale

This pattern can be automated by using AWS CloudFormation, AWS Cloud Development Kit (AWS CDK), or API operations from an SDK. Lambda can automatically scale based on the number of requests, and you can tune it by using the concurrency parameters.


  • AWS CloudFormation Designer integrated JSON and YAML editor – AWS CloudFormation Designer provides an integrated JSON and YAML editor for viewing and editing template details. For example, you can use the integrated editor to define the properties of a resource or to change a template parameter.

  • AWS CodeBuild – AWS CodeBuild is a fully managed build service in the cloud. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy.

  • AWS CodeCommit – AWS CodeCommit is a version control service hosted by AWS. You can use CodeCommit to privately store and manage assets (such as documents, source code, and binary files) in the cloud.

  • AWS CodeStar or another development environment – AWS CodeStar is a cloud-based service for creating, managing, and working with software development projects on AWS.

  • Amazon ECR – Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable.

  • AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running.

  • Docker – Docker is a software platform that for building, testing, and deploying applications quickly. Docker packages software into standardized units called containers that have everything the software needs to run, including libraries, system tools, code, and runtime.


TaskDescriptionSkills required

Create a CodeCommit repository.

The following approach uses Python as the underlying programming language, but you can use other languages, such as Java, Node.js, or Go.

To store the configuration file and the files that will contain the code, create a CodeCommit repository.


Create a CodeBuild project.

On the CodeBuild console, create a new project. Ensure that privileged mode is enabled. To build Docker images, this is necessary. Otherwise, the image will not build successfully

Provide values for project name and description. Specify a source provider. This example uses CodeCommit. Other options include GitHub, Bitbucket, or Amazon Simple Storage Service (Amazon S3).


Edit the Dockerfile.

The Dockerfile should be located in the top-level directory where you're developing the application. The Python code should be in the src folder.

When you create the image, use the official Lambda supported images. Otherwise, a bootstrap error will occur, making the packing process more difficult.

For details, see the Additional information section.


Create a repo in Amazon ECR.

Create a container repository in Amazon ECR. In the following example command, the name of repository created is cf-demo. The repository will be reused in the buildspec.yaml file.

aws ecr create-repository --cf-demo
AWS administrator, Developer

Push the image to Amazon ECR.

You can use CodeBuild to perform the image-build process. CodeBuild needs permission to interact with Amazon ECR and to work with S3. As part of the process, the Docker image is built and pushed to the Amazon ECR registry. For details on the template and the code, see the Additional information section.


Verify that the image is in the repository.

To verify that the image is in the repository, on the Amazon ECR console, choose Repositories. The image should be listed, with tags and with the results of a vulnerability scan report if that feature was turned on in the Amazon ECR settings.  

TaskDescriptionSkills required

Create the Lambda function.

On the Lambda console, choose Create function, and then choose Container image. Enter the function name and the URI for the image that is in the Amazon ECR repository, and then choose Create function.

App developer

Test the Lambda function.

To invoke and test the function, choose Test.

App developer



Build is not succeeding.

  1. Check if the privileged mode is turned on for the CodeBuild project.

  2. Ensure that the Docker related commands have the necessary permissions. Trying adding sudo to the commands

  3. Verify that the IAM role associated with CodeBuild has a policy with appropriate actions to interact with Amazon ECR, Amazon S3, and CloudWatch logs.

Related resources

Additional information

Edit the Dockerfile

The following screenshot shows the commands for editing the Dockerfile.

Screenshot showing FROM, COPY, RUN, COPY, and CMD commands.


The FROM command value corresponds to the Python 3.8 base image that is using the Lambda function in the public Amazon ECR image repository. 

The COPY requirements.txt command captures the dependencies necessary for the code. 

The RUN pip install --user -r requirements.txt command installs the dependencies to the local user directory. 

The COPY src/ ${LAMBDA_TASK_ROOT} command copies the code to the task root directory, which the Lambda function will use. This command uses the environment variable so we don’t have to worry about the actual path. The function to be run is passed as an argument to the CMD [ "server.lambda_handler" ] command.

Add the image in Amazon ECR

In the following code, replace 11111111 with the account number, and replace us-east-1 if you are using a different Region. The buildspec file uses the CodeBuild build number to uniquely identify image versions as a tag value. You can change this to fit your requirements.

Buildspec custom code

phases: install: runtime-versions: python: 3.9 pre_build: commands: - python3 --version - pip3 install --upgrade pip - pip3 install --upgrade awscli - sudo docker info build: commands: - echo Build started on `date` - echo Building the Docker image... - ls - cd app - docker build -t cf-demo:$CODEBUILD_BUILD_NUMBER . - docker ls post_build: commands: - echo Build completed on `date` - echo Pushing the Docker image... - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin - docker tag cf-demo:$CODEBUILD_BUILD_NUMBER$CODEBUILD_BUILD_NUMBER - docker push$CODEBUILD_BUILD_NUMBER