如何将IAM角色附加到EC2实例，以便它们可以在Terraform中从ECR中提取特定图像 [英] How to attach IAM roles to EC2 instances so they can pull an specific image from ECR in Terraform

问题描述

我正在尝试将IAM角色附加到EC2实例(而不是ECS)上，以便它们可以从ECR中提取图像.

I'm trying to attach an IAM roles to EC2 instances (not ECS) so they can pull images from ECR.

推荐答案

执行以下操作.请注意，您可能希望限制可访问的ECR存储库.

Do something like this. Note you may want to limit which ECR repos are accessible.

resource "aws_instance" "test" {
  ...
}

resource "aws_launch_configuration" "ecs_cluster" {
  ...
  iam_instance_profile = "${aws_iam_instance_profile.test.id}"
}

resource "aws_iam_role" "test" {
  name = "test_role"
  assume_role_policy = "..."
}

resource "aws_iam_instance_profile" "test" {
  name = "ec2-instance-profile"
  role = "${aws_iam_role.test.name}"
}

resource "aws_iam_role_policy_attachment" "test" {
  role       = "${aws_iam_role.test.name}"
  policy_arn = "${aws_iam_policy.test.arn}"
}

resource "aws_iam_policy" "test" {
  name        = "ec2-instance-pulls-from-ecr"
  description = "EC2 instance can pull from ECR"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

这篇关于如何将IAM角色附加到EC2实例，以便它们可以在Terraform中从ECR中提取特定图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！