Skip to content
This repository was archived by the owner on Nov 27, 2023. It is now read-only.

Add Support to use existing IAM role by referring to it by its ARN #1500

Closed
rosven opened this issue Apr 7, 2021 · 5 comments
Closed

Add Support to use existing IAM role by referring to it by its ARN #1500

rosven opened this issue Apr 7, 2021 · 5 comments
Labels
ecs

Comments

@rosven
Copy link
Contributor

rosven commented Apr 7, 2021

It is currently possible to create policies before hand and refer to those as x-aws-policies in the configuration. This dynamically creates a IAM Role with a role name consisting of myApplicationTaskRole-someHash. Likewise, it's supported to create a tailored IAM role with x-aws-role.

A problem arises when you want to refer to the IAM role elsewhere. For example in a terraform flow where the ARN to the IAM Role needs to be defined. In my specific use case, I need to define my IAM role inside of the access policies in an Elasticsearch service. This can be done by looking up the created role ARN and manually added to access policies. However it's not possible in an automated flow because the name is not deterministic.

Would it be possible to add support to refer to an existing IAM Role by ARN inside of the config and that it is automated so that role is used for the created task instead?

Grateful for non-hacky work arounds or added support for this!
@rosven rosven changed the title Use existing IAM role by referring to it by its ARN Add Support to use existing IAM role by referring to it by its ARN Apr 7, 2021
@rosven
Copy link
Contributor Author

rosven commented Apr 7, 2021
edited
Loading

Seems that if this part in the file: https://github.com/docker/compose-cli/blob/6a0269f7b93b8e9228a1ed009e6d0a1144d83651/ecs/cloudformation.go

Lines: https://github.com/docker/compose-cli/blob/6a0269f7b93b8e9228a1ed009e6d0a1144d83651/ecs/cloudformation.go#L174-L183

Checking for taskRole ARN in config before creating it and setting it to config ARN definition.TaskRoleArn = configArn. Could work?

@defyrlt
Copy link
Contributor

defyrlt commented Apr 7, 2021

@rosven: i haven't tried this, and not sure if it fits the description of a "non-hacky" solution, but you can probably define an output via x-aws-cloudformation and use it in terraform.

@rosven
Copy link
Contributor Author

rosven commented Apr 7, 2021

@defyrlt Thank you for the suggestion. Unfortunately It sounds like a similar solution to what I already found (which I consider hacky), where you simply search for the role name in the aws cli and get ARNS matching that. I would like to know deterministically what the ARN is to the role without looking it up so that I can have the role ARN locked and checked in, inside of my other configurations. I also dont want to terraform every time I make changes and deploy services to ECS, thats kind of the point of using this feature.

This is the other way of doing it: (I have not tested the one you suggest)

aws` iam list-roles --query 'Roles[?starts_with(RoleName, `S3`) == `true`]['Arn’]'

@rosven rosven mentioned this issue Apr 7, 2021
Closed
@ndeloof ndeloof added the ecs label Apr 8, 2021
@rosven
Copy link
Contributor Author

rosven commented Apr 9, 2021

I found another solution to this issue, PM me if you ever end up with the same situation or issue and ill help out

@rosven rosven closed this as completed Apr 9, 2021
@stevenpitts
Copy link

@rosven's notes on their solution: #1506 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
ecs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ADDS Support to define IAM roles in yml by ARN rosven/compose-cli
4 participants
@ndeloof @rosven @defyrlt @stevenpitts