Ability to specify IAM role for worker

[vlad-ro]

We are using Concourse to pull and push images from/to AWS ECR.
To make this work we have to specify AWS credentials for any time we access the repo.

We want to be able to setup an IAM role assigned to workers that would give it access to ECR. Therole policy would look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCluster",
                "ecs:DeregisterContainerInstance",
                "ecs:DiscoverPollEndpoint",
                "ecs:Poll",
                "ecs:RegisterContainerInstance",
                "ecs:StartTelemetrySession",
                "ecs:Submit*",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "s3:GetObject",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

[DanielJonesEB]

Hi @vlad-ro,

I'm not familiar with how ECR validates the identity of a worker. Would this work given that tasks and puts run in containers?

[vlad-ro]

Here is some sample code for how this might look: https://github.com/vlad-ro/concourse-up/commit/00689f80c69901f26b5cc1153c1ae07ef3622ad6
Unfortunately I haven't had a chance to test it. However we are using a similar approach with Concourse deployed on AWS ECS where even Concourse itself runs in a container!