如何将 IAM 角色附加到 EC2 实例,以便它们可以从 Terraform 中的 ECR 提取特定图像 [英] How to attach IAM roles to EC2 instances so they can pull an specific image from ECR in Terraform
本文介绍了如何将 IAM 角色附加到 EC2 实例,以便它们可以从 Terraform 中的 ECR 提取特定图像的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试将 IAM 角色附加到 EC2 实例(不是 ECS),以便它们可以从 ECR 中提取图像.
I'm trying to attach an IAM roles to EC2 instances (not ECS) so they can pull images from ECR.
推荐答案
做这样的事情.请注意,您可能希望限制可访问的 ECR 存储库.
Do something like this. Note you may want to limit which ECR repos are accessible.
resource "aws_instance" "test" {
...
}
resource "aws_launch_configuration" "ecs_cluster" {
...
iam_instance_profile = "${aws_iam_instance_profile.test.id}"
}
resource "aws_iam_role" "test" {
name = "test_role"
assume_role_policy = "..."
}
resource "aws_iam_instance_profile" "test" {
name = "ec2-instance-profile"
role = "${aws_iam_role.test.name}"
}
resource "aws_iam_role_policy_attachment" "test" {
role = "${aws_iam_role.test.name}"
policy_arn = "${aws_iam_policy.test.arn}"
}
resource "aws_iam_policy" "test" {
name = "ec2-instance-pulls-from-ecr"
description = "EC2 instance can pull from ECR"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}
]
}
EOF
}
这篇关于如何将 IAM 角色附加到 EC2 实例,以便它们可以从 Terraform 中的 ECR 提取特定图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
