This article was originally published on Medium on Aug 26, 2025.
Setting up Access (the simple way with AWS Console)
Before pushing images to ECR or deploying them in Lambda, the user (you or your teammate) needs the right permissions. Here’s the easiest way to set it up using the AWS Console only.
1. Create a User (or use an existing one)
- Go to IAM in the AWS Console.
- In the left menu, click Users → Add users.
- Give the user a name (e.g.,
devops-user). - Select Attach policies directly.
2. Attach Required Permissions
Tick these managed policies:
- AmazonEC2ContainerRegistryFullAccess → lets you push and pull images from ECR.
- AWSLambda_FullAccess → lets you create and update Lambda functions.
- IAMFullAccess (or at least
PassRolerights) → needed so you can attach an execution role to Lambda.
If you want to be stricter, you can create a dedicated Lambda execution role separately, but for a simple setup, these three policies will let your user do everything needed.
Click Next → Create user.
3. Create a Role for Lambda to Run
The Lambda itself also needs permission to write logs.
- Go to IAM → Roles → Create role.
- Select Trusted entity: AWS Service → Lambda.
- Attach the policy AWSLambdaBasicExecutionRole.
- This allows Lambda to send logs to CloudWatch.
- Name the role something like
pdf-lambda-exec - Create the role.
4. Summary of Who Has What
- Your IAM User → Can:
- Push images to ECR
- Create/Update Lambda functions
- Attach roles to Lambda
- Lambda Execution Role → Used by the Lambda at runtime to:
- Write logs to CloudWatch
That’s it. With these steps, your user has everything needed to:
- Attach the Lambda execution role for logging
- Build & push images into ECR
- Deploy them into Lambda
If you’re building a SaaS and want your AWS setup to be secure, scalable, and cost-efficient, we can help.. Click here to book a free SaaS plan & quote.