I am trying to access an IAM role which I created using aws console. The role was simple as I had to give in ecs taskexcutionrole so that it has the permission to pull the image from ECR. I have come up with this code what am I missing in this code?
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
2- What if I want to create a new task execution role and give only permission to pull the image from ECR what changes I should make?
The trust principle should be ecs-tasks.amazonaws.com:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'