AWS SAM pipeline

I’m trying to build a pipeline for the standard AWS SAM HelloWorld template using Python 3.8. I’m using this template as a pipeline example. The only change I’m making to the pipeline is the Environment/Image which I’m changing from 3.6.5 to 3.8.3, like so…

        Type: AWS::CodeBuild::Project
            Name: {{cookiecutter.project_name.lower().replace(' ', '-')}}
            Description: Build project for the {{cookiecutter.project_name}}
              Type: CODEPIPELINE
                Type: LINUX_CONTAINER
                ComputeType: BUILD_GENERAL1_SMALL
                # Image: aws/codebuild/python:3.6.5 - *Commenting this out*
                Image: aws/codebuild/python:3.8.3 - *Using this instead*
                    Name: BUILD_OUTPUT_BUCKET
                    Value: !Ref BuildArtifactsBucket
              Type: S3
              Location: !Sub ${BuildArtifactsBucket}/codebuild-cache
            ServiceRole: !GetAtt CodeBuildServiceRole.Arn
                Type: CODEPIPELINE
                Key: "Stack"
                Value: !Ref AWS::StackName
                Key: "Project"
                Value: {{cookiecutter.project_name}}

The Problem

I’m making this change because my lambda’s runtime is python3.8. If I leave the pipeline’s image as aws/codebuild/python:3.6.5 I get the following error…

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/aws_lambda_builders/", line 58, in wrapper
    valid_path = binary_checker.validator.validate(executable_path)
  File "/usr/local/lib/python3.6/site-packages/aws_lambda_builders/workflows/python_pip/", line 45, in validate
    raise MisMatchRuntimeError(language=self.language, required_runtime=self.runtime, runtime_path=runtime_path)
aws_lambda_builders.exceptions.MisMatchRuntimeError: python executable found in your path does not match runtime. 
 Expected version: python3.8, Found version: /usr/local/bin/python.

However, when I change the pipeline’s image to aws/codebuild/python:3.8.3, I get this error in CodeBuild’s Provisioning phase…

BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for aws/codebuild/python, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

When I search for “codebuild BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE” I find that the error comes from using a custom build image.

My Questions

  1. Am I correct to be changing the pipeline’s image to aws/codebuild/python:3.8.3
  2. Is aws/codebuild/python:3.8.3 a valid image?

Regarding #2, I found this page and, although it’s a little complicated to sift through, I believe 3.8.3 is a valid image.

Any assistance in getting my pipeline running would be appreciated.


This is because it is trying to pull the new image from docker hub which has throttling enabled for pulling images. So what you can do is pull the image from AWS Public ECR and use the same in your environment.

There is another way for this you create your own ECR repo in the account and push the mentioned image to your own ECR and use that in the template.