1. 技术文章
  2. How to attach IAM roles to EC2 instances so they can pull an specific image from ECR in Terraform

How to attach IAM roles to EC2 instances so they can pull an specific image from ECR in Terraform

我的未来我决定 提交于 2019-12-11 01:55:30

问题


I'm trying to attach an IAM roles to EC2 instances (not ECS) so they can pull images from ECR.


回答1:


Do something like this. Note you may want to limit which ECR repos are accessible.

resource "aws_instance" "test" {
  ...
}

resource "aws_launch_configuration" "ecs_cluster" {
  ...
  iam_instance_profile = "${aws_iam_instance_profile.test.id}"
}

resource "aws_iam_role" "test" {
  name = "test_role"
  assume_role_policy = "..."
}

resource "aws_iam_instance_profile" "test" {
  name = "ec2-instance-profile"
  role = "${aws_iam_role.test.name}"
}

resource "aws_iam_role_policy_attachment" "test" {
  role       = "${aws_iam_role.test.name}"
  policy_arn = "${aws_iam_policy.test.arn}"
}

resource "aws_iam_policy" "test" {
  name        = "ec2-instance-pulls-from-ecr"
  description = "EC2 instance can pull from ECR"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}



回答2:


This is known to work in Terraform v0.11.13

cluster.tf

locals {
  cluster_name = "cluster-${terraform.workspace}"
}

resource "aws_iam_role_policy" "cluster_member" {
  name = "${local.cluster_name}"
  role = "${aws_iam_role.cluster_member.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:UpdateContainerInstancesState",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "cluster_member" {
  name = "${local.cluster_name}"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "cluster_member" {
  name = "${local.cluster_name}"
  role = "${aws_iam_role.cluster_member.name}"
}

data "template_file" "cloud_config" {
  template = "${file("${path.module}/templates/user_data.sh")}"
  vars {
    ecs_cluster = "${local.cluster_name}"
  }
}

resource "aws_instance" "cluster_member" {
  # http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
  iam_instance_profile = "${aws_iam_instance_profile.cluster_member.name}"

  user_data = "${data.template_file.cloud_config.rendered}"
}

templates/user_data.sh

#!/bin/bash

# See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html

cat <<'EOF' >> /etc/ecs/ecs.config
ECS_CLUSTER=${ecs_cluster}
EOF


来源:https://stackoverflow.com/questions/49562015/how-to-attach-iam-roles-to-ec2-instances-so-they-can-pull-an-specific-image-from

标签
amazon-web-services
amazon-ec2
terraform
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!