Concourse and Vault

I deployed concourse ci onto and ECS cluster and works perfect. Deployed a ec2 instance w/ vault but cannot for the life of me get the ecs cluster task role to be able to get the token from vault using the role perms. I gave it getrole, getUser and describe ec2 instance and still no go. its not until i do arn:arn:account#here:* that it works fine . any way to narrow this down to the bound iam role?

Hi @chelapa,

Are you able to post the complete IAM policy you’re using? The policy may also need iam:GetInstanceProfile.

The EC2 auth method uses the instance’s identity document, which would be returned by the container instance’s IAM role. I don’t think this identity document is passed to an ECS task role, which may need to use Vault’s IAM auth method instead.

Let me know if you find something, I’ll check and see if I can find some more information!

I actually got it all to work. It was the steps i took that were not in line with the deployment. Thank you for quickly replying =)

1 Like