https://pulumi.com logo
Title
n

nice-lamp-12786

12/02/2020, 3:57 AM
I'm trying to launch an AWS EC2 instance using
iamInstanceProfile
so that I can pull an ECR container image from the EC2 instance, but I'm not seeing examples, and there seems to be problems (using the most recent version of Pulumi)
const role = new aws.iam.Role("role", {
    path: "/",
    assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
`,
});

const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: testProfile,
...
I'm not sure if this is the right approach -- it's not working.
b

billowy-army-68599

12/02/2020, 6:20 AM
you need to add a
RolePolicyAttachment
that allows ecr to your role, you're on the right track there
n

nice-lamp-12786

12/02/2020, 4:05 PM
Do you mean this is all I need?
const role = new aws.iam.Role("myrole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>" }),
});

const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: instanceProfile,
});
That compiles, but 1) doesn't mention
RolePolicyAttachment
and also, I'm not sure it's the right approach for enabling the EC2 instance to pull images from ECR. Am I on the right track?
b

billowy-army-68599

12/02/2020, 4:37 PM
No, I’ll send an example shortly just on dog walking duty
@nice-lamp-12786 you need to add the following:
const rpa = new aws.iam.RolePolicyAttachment('ecr-access',
        { policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess', role: role.id }, { parent: role }
    );
n

nice-lamp-12786

12/02/2020, 5:17 PM
@billowy-army-68599 Thank you! I've never seen the
parent
thing... it looks like you are using
RolePolicyAttachment
to add 2 rules/objects? But what is the second one? And what is the
iamRole
in this context (in my code above, is it my
const role =)
?
b

billowy-army-68599

12/02/2020, 5:21 PM
parent just makes the output look nice. This only adds one
RolePolicyAttachment
- I've updated it to reference your role, sorry just copied and pasted it and forgot to edit, hope it makes more sense now
n

nice-lamp-12786

12/02/2020, 5:45 PM
Oh, interesting. Thank you!