admin管理员组文章数量:1333160
I'm trying to create a terraform module for Aws lightsail. The container is using an image from a private ECR repo. Adding the ECR repo via the console is simple but not feasible for IAC.I have a sample configuration but it doesn't seem to work as intended. The policy is attched to the role but it doesn't pull the image. What do i need to do different?
resource "aws_iam_role" "ecr_image_puller_role" {
name = "ecr_image_puller_role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : "sts:AssumeRole"
}
]
})
}
# Attach ECR Pull Policy to the Role
resource "aws_iam_policy" "ecr_pull_policy" {
name = "ecr_pull_policy"
description = "Policy allowing access to pull images from ECR"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource" : "arn:aws:ecr:eu-west-2:767397947330:repository/flask-blog"
}
]
})
}
resource "aws_iam_role_policy_attachment" "attach_ecr_pull_policy" {
role = aws_iam_role.ecr_image_puller_role.name
policy_arn = aws_iam_policy.ecr_pull_policy.arn
}
I'm trying to create a terraform module for Aws lightsail. The container is using an image from a private ECR repo. Adding the ECR repo via the console is simple but not feasible for IAC.I have a sample configuration but it doesn't seem to work as intended. The policy is attched to the role but it doesn't pull the image. What do i need to do different?
resource "aws_iam_role" "ecr_image_puller_role" {
name = "ecr_image_puller_role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : "sts:AssumeRole"
}
]
})
}
# Attach ECR Pull Policy to the Role
resource "aws_iam_policy" "ecr_pull_policy" {
name = "ecr_pull_policy"
description = "Policy allowing access to pull images from ECR"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource" : "arn:aws:ecr:eu-west-2:767397947330:repository/flask-blog"
}
]
})
}
resource "aws_iam_role_policy_attachment" "attach_ecr_pull_policy" {
role = aws_iam_role.ecr_image_puller_role.name
policy_arn = aws_iam_policy.ecr_pull_policy.arn
}
1 Answer
Reset to default 0AWS Lightsail doesn’t directly assume a role to pull images from ECR. Instead, Lightsail uses its service principal (lightsail.amazonaws) to interact with ECR. This is managed via ECR repository resource-based policies.
so you need to add the policy to the ECR instead, here's an example:
# Define an ECR repository
resource "aws_ecr_repository" "flask_blog" {
name = "flask-blog"
}
# Attach a policy to the ECR repository to allow Lightsail to pull images
resource "aws_ecr_repository_policy" "lightsail_ecr_policy" {
repository = aws_ecr_repository.flask_blog.name
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowLightsailPull",
"Effect" : "Allow",
"Principal" : {
"Service" : "lightsail.amazonaws"
},
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
})
}
Unlike ECS or Lambda, where you explicitly need to add a role for them allowing them to interact with the ECR, Lightsail relies entirely on the ECR resource based policy, and it manages the authentication internally and it doesn't use the IAM role.
本文标签:
版权声明:本文标题:amazon web services - Creating an AWS IAM role with a pull policy for ECR to use on AWS lightsail containers - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742351717a2458628.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论