nice-lamp-12786
12/02/2020, 3:57 AMiamInstanceProfile
so that I can pull an ECR container image from the EC2 instance, but I'm not seeing examples, and there seems to be problems (using the most recent version of Pulumi)
const role = new aws.iam.Role("role", {
path: "/",
assumeRolePolicy: `{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
},
"Effect": "Allow",
"Sid": ""
}
]
}
`,
});
const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});
const server = new aws.ec2.Instance("webserver-www", {
ami: ami.id,
iamInstanceProfile: testProfile,
...
I'm not sure if this is the right approach -- it's not working.billowy-army-68599
RolePolicyAttachment
that allows ecr to your role, you're on the right track therenice-lamp-12786
12/02/2020, 4:05 PMconst role = new aws.iam.Role("myrole", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" }),
});
const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", {role: role.name});
const server = new aws.ec2.Instance("webserver-www", {
ami: ami.id,
iamInstanceProfile: instanceProfile,
});
That compiles, but 1) doesn't mention RolePolicyAttachment
and also, I'm not sure it's the right approach for enabling the EC2 instance to pull images from ECR. Am I on the right track?billowy-army-68599
const rpa = new aws.iam.RolePolicyAttachment('ecr-access',
{ policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess', role: role.id }, { parent: role }
);
nice-lamp-12786
12/02/2020, 5:17 PMparent
thing... it looks like you are using RolePolicyAttachment
to add 2 rules/objects? But what is the second one? And what is the iamRole
in this context (in my code above, is it my const role =)
?billowy-army-68599
RolePolicyAttachment
- I've updated it to reference your role, sorry just copied and pasted it and forgot to edit, hope it makes more sense nownice-lamp-12786
12/02/2020, 5:45 PM