``` Attach required role for ECS to pull images const roleAt Pulumi Community #general

```// Attach required role for ECS to pull images ...

lively-ice-73493

08/16/2021, 9:08 PM

Copy code

// Attach required role for ECS to pull images
const roleAttachment = new aws.iam.PolicyAttachment(
  `${solution_name}-policy-attachment`,
  {
    roles: [solutionRole.name],
    policyArn:
       aws.iam.ManagedPolicy.AmazonECSTaskExecutionRolePolicy,
  }
);

The

AmazonECSTaskExecutionRolePolicy

is attached to another Role (role-b) in an AWS account. When you run

pulumi destroy

on the pipeline with the attachment in it, the attachment is also removed from

role-b

. System down. This seems related: https://github.com/pulumi/pulumi/issues/918 What am suppose to do besides create a bunch of user-defined policies and not use managed policies? Not what we want to do.

lively-ice-73493

08/16/2021, 9:13 PM

Apply this issue to

aws.iam.ManagedPolicy.LambdaFullAccess

policy or some other very widely used policy...

green-stone-37839

08/16/2021, 9:28 PM

Hi Chad, the use of

aws.iam.PolicyAttachment

creates exclusive attachments of IAM policies across AWS accounts. Pulumi docs: https://www.pulumi.com/docs/reference/pkg/aws/iam/policyattachment/ You can use

aws.iam.RolePolicyAttachment

for your use case which does not create exclusive relationships.

lively-ice-73493

08/16/2021, 9:29 PM

Oh @green-stone-37839 You mean this BIG warning in the documentation I presume

WARNING: The aws.iam.PolicyAttachment resource creates exclusive attachments of IAM policies.......

Thank you!!!!

green-stone-37839

08/16/2021, 9:30 PM

Anytime!

lively-ice-73493

08/16/2021, 9:30 PM

Probably a cut-n-paste from some solution and didn't even read that page. Appreciate this. 🙂

green-stone-37839

08/16/2021, 9:31 PM

no problem!

lively-ice-73493

08/16/2021, 10:24 PM

My teammates suggested

ExclusivePolicyAttachment

would be a nice resource name. Just sharing.

2 Views

Open in Slack

Previous Next