Open sammcj opened 4 years ago
woodjme
commented
4 years ago That flag sets the instance profile of the EC2 runner instance, not the Fargate container that the IAM user is created for. At the moment Fargate doesn't support IAM Instance Profiles so an IAM user is needed.
sammcj
commented
4 years ago I'm not certain that a user is required.
At the moment the Task and Task Executor are using the same role, my thinking is that they should be two different roles and the Task role should have access to create and terminate EC2 instances.
woodjme
commented
4 years ago Made some progress on this issue, the S3 user is now only used to access to S3 cache.
When the s3 access key and secret key environment variables are removed the runner returns.
No URL provided, cache will not be downloaded from shared cache server.
sammcj
commented
4 years ago @woodjme it looks like https://github.com/woodjme/autoscaling-ec2-gitlab-runners-fargate/pull/8 fixes this! 🎉
fedemzcor
commented
4 years ago how can i reach ec2 iam profile credentials from EC2 runner on pipeline job?
alexjfisher
commented
3 years ago
No URL provided, cache will not be downloaded from shared cache server.
With my current runner setup, I've been able to get around needing an IAM user (which my org has mostly banned) by creating an S3 endpoint and attaching a policy to the cache bucket that allows access from that endpoint.
alexjfisher
commented
3 years ago I'm no longer too sure why I needed to do this. The changes in #8 (when applied to current master branch) seem to work fine for me.
Is your feature request related to a problem? Please describe.
It's best practice for services such as CI/CD to use AWS IAM Roles rather than Users.
Describe the solution you'd like
A Role should be used rather than creating and using a full User account.
Additional context
--amazonec2-iam-instance-profile)