I m trying to launch an AWS EC2 instance using `iamInstanceP Pulumi Community #aws

I'm trying to launch an AWS EC2 instance using `ia...

nice-lamp-12786

12/02/2020, 3:57 AM

I'm trying to launch an AWS EC2 instance using

iamInstanceProfile

so that I can pull an ECR container image from the EC2 instance, but I'm not seeing examples, and there seems to be problems (using the most recent version of Pulumi)

Copy code

const role = new aws.iam.Role("role", {
    path: "/",
    assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
`,
});

const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: testProfile,
...

I'm not sure if this is the right approach -- it's not working.

billowy-army-68599

12/02/2020, 6:20 AM

you need to add a

RolePolicyAttachment

that allows ecr to your role, you're on the right track there

nice-lamp-12786

12/02/2020, 4:05 PM

Do you mean this is all I need?

Copy code

const role = new aws.iam.Role("myrole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" }),
});

const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: instanceProfile,
});

That compiles, but 1) doesn't mention

RolePolicyAttachment

and also, I'm not sure it's the right approach for enabling the EC2 instance to pull images from ECR. Am I on the right track?

billowy-army-68599

12/02/2020, 4:37 PM

No, I’ll send an example shortly just on dog walking duty

billowy-army-68599

12/02/2020, 5:14 PM

@nice-lamp-12786 you need to add the following:

Copy code

const rpa = new aws.iam.RolePolicyAttachment('ecr-access',
        { policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess', role: role.id }, { parent: role }
    );

nice-lamp-12786

12/02/2020, 5:17 PM

@billowy-army-68599 Thank you! I've never seen the

parent

thing... it looks like you are using

RolePolicyAttachment

to add 2 rules/objects? But what is the second one? And what is the

iamRole

in this context (in my code above, is it my

const role =)

billowy-army-68599

12/02/2020, 5:21 PM

parent just makes the output look nice. This only adds one

RolePolicyAttachment

- I've updated it to reference your role, sorry just copied and pasted it and forgot to edit, hope it makes more sense now

nice-lamp-12786

12/02/2020, 5:45 PM

Oh, interesting. Thank you!

2 Views

Open in Slack

Previous Next