Add support for adding an IAM role to workers

[nbrys]

We are using IAM roles on our worker nodes for granting access to an S3 bucket where other terraform statefiles are defined. Add support for adding an IAM role to the worker nodes

[crsimmons]

Hi @nbrys

I'm not sure I fully understand what the need is here. Do you mean you want to add an IAM role to the worker VMs so that containers spawned on them can connect to AWS with the proper auth? Have you confirmed that this works? I vaguely remember trying it with os_conf about two years ago and having it not work.

We have generally tried to keep Control Tower simple and opinionated. I'm cautious about adding the ability to make customisations outside of Concourse itself. I can see changes like this causing complications with our auto updating mechanism down the line.

There is an ongoing discussion within the Concourse community on how to implement IAM roles into the product. From my perspective it would be preferable to solve this problem on the resource level rather than on the VM level. The terraform resource now supports terraform backends and the s3 backend appears to support roles. Maybe this could be of use.

[nbrys]

I'm not sure I fully understand what the need is here. Do you mean you want to add an IAM role to the worker VMs so that containers spawned on them can connect to AWS with the proper auth? Have you confirmed that this works? I vaguely remember trying it with os_conf about two years ago and having it not work.

Hi @crsimmons this is indeed what I mean. Without a proper IAM role on the worker nodes, they are not allowed to access resources on s3. I manually added the correct IAM role on the worker nodes now, and our pipeline started working again. Our pipeline runs a different terraform code which state files are on s3.

[bkonkle]

I'm running into this same limitation. I want my workers to be able to access services like ECS, KMS, Lambda, etc. To work around this, I'm using Terraform:

• aws_iam_role - a role I call "control_tower_resource"
• aws_iam_policy - a policy that grants access to services like ECR ("ecr:*",)
• aws_iam_role_policy_attachment - attaching the policy to the role
• aws_iam_instance_profile - attaching the role to an instance profile - I call this "control_tower_concourse_profile"

Unfortunately, Terraform doesn't have a way to attach IAM roles to existing EC2 instances, so I have to use the EC2 UI and click through "Instance Settings => Attach/Replace IAM Role" to manually attach my "control_tower_concourse_profile".

[giorgioprevitera]

Same here, I'm using Concourse to run Terraform and using an IAM Role attached to workers using an Instance Profile would be the preferred way to grant the right permissions.

[zagr0]

Hi, we really need this feature to add roles for worker instances right now we have to use lambda for that...