concourse-up icon indicating copy to clipboard operation
concourse-up copied to clipboard
verified publisher icon EngineerBetter

Ability to specify IAM role for worker

Open vlad-ro opened this issue 7 years ago • 2 comments

We are using Concourse to pull and push images from/to AWS ECR. To make this work we have to specify AWS credentials for any time we access the repo.

We want to be able to setup an IAM role assigned to workers that would give it access to ECR. Therole policy would look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCluster",
                "ecs:DeregisterContainerInstance",
                "ecs:DiscoverPollEndpoint",
                "ecs:Poll",
                "ecs:RegisterContainerInstance",
                "ecs:StartTelemetrySession",
                "ecs:Submit*",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "s3:GetObject",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

vlad-ro avatar Aug 22 '18 10:08 vlad-ro

Hi @vlad-ro,

I'm not familiar with how ECR validates the identity of a worker. Would this work given that tasks and puts run in containers?

DanielJonesEB avatar Aug 22 '18 15:08 DanielJonesEB

Here is some sample code for how this might look: https://github.com/vlad-ro/concourse-up/commit/00689f80c69901f26b5cc1153c1ae07ef3622ad6 Unfortunately I haven't had a chance to test it. However we are using a similar approach with Concourse deployed on AWS ECS where even Concourse itself runs in a container!

vlad-ro avatar Aug 23 '18 21:08 vlad-ro