No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

you need to add a `RolePolicyAttachment` that allows ecr to your role, you're on the right track there

Do you mean this is all I need?
```const role = new aws.iam.Role("myrole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" }),
});

const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: instanceProfile,
});```
That compiles, but 1) doesn't mention `RolePolicyAttachment` and also, I'm not sure it's the right approach for enabling the EC2 instance to pull images from ECR. Am I on the right track?

No, I’ll send an example shortly just on dog walking duty 

<@U01FV98CK6Z> you need to add the following:
```const rpa = new aws.iam.RolePolicyAttachment('ecr-access',
        { policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess', role: role.id }, { parent: role }
    );```

<@UCWG26BH7> Thank you! I've never seen the `parent` thing... it looks like you are using `RolePolicyAttachment` to add 2 rules/objects? But what is the second one? And what is the `iamRole` in this context (in my code above, is it my `const role =)`?

parent just makes the output look nice. This only adds one `RolePolicyAttachment` - I've updated it to reference your role, sorry just copied and pasted it and forgot to edit, hope it makes more sense now