https://pulumi.com logo
Powered by
#aws
Title
n

nice-lamp-12786

12/02/2020, 3:57 AM
I'm trying to launch an AWS EC2 instance using 
iamInstanceProfile
so that I can pull an ECR container image from the EC2 instance, but I'm not seeing examples, and there seems to be problems (using the most recent version of Pulumi)
Copy code
const role = new aws.iam.Role("role", {
    path: "/",
    assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
`,
});

const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: testProfile,
...
I'm not sure if this is the right approach -- it's not working.
b

billowy-army-68599

12/02/2020, 6:20 AM
you need to add a 
RolePolicyAttachment
that allows ecr to your role, you're on the right track there
n

nice-lamp-12786

12/02/2020, 4:05 PM
Do you mean this is all I need?
Copy code
const role = new aws.iam.Role("myrole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" }),
});

const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: instanceProfile,
});
That compiles, but 1) doesn't mention 
RolePolicyAttachment
and also, I'm not sure it's the right approach for enabling the EC2 instance to pull images from ECR. Am I on the right track?
b

billowy-army-68599

12/02/2020, 4:37 PM
No, I’ll send an example shortly just on dog walking duty
@nice-lamp-12786 you need to add the following:
Copy code
const rpa = new aws.iam.RolePolicyAttachment('ecr-access',
        { policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess', role: role.id }, { parent: role }
    );
n

nice-lamp-12786

12/02/2020, 5:17 PM
@billowy-army-68599 Thank you! I've never seen the 
parent
thing... it looks like you are using 
RolePolicyAttachment
to add 2 rules/objects? But what is the second one? And what is the 
iamRole
in this context (in my code above, is it my 
const role =)
?
b

billowy-army-68599

12/02/2020, 5:21 PM
parent just makes the output look nice. This only adds one 
RolePolicyAttachment
- I've updated it to reference your role, sorry just copied and pasted it and forgot to edit, hope it makes more sense now
n

nice-lamp-12786

12/02/2020, 5:45 PM
Oh, interesting. Thank you!
2 Views
Powered by