Add permissions for batch to execute private ecr image

OvertureMaps · Aug 7, 2024 · 49b4fe5 · 49b4fe5
1 parent c9eb45d
commit 49b4fe5
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts b/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts
@@ -82,6 +82,25 @@ export class OvertureTilesCdkStack extends cdk.Stack {
       }),
     );
 
+    const executionRole = new iam.Role(this, `${ID}ExecutionRole`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+
+    executionRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "sts:AssumeRole"
+        ],
+        resources: ["*"],
+      }),
+    );
+
+    executionRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly')
+    );
+
     for (let theme of [
       "addresses",
       "admins",
@@ -102,7 +121,8 @@ export class OvertureTilesCdkStack extends cdk.Stack {
             memory: cdk.Size.gibibytes(60),
             cpu: 30,
             command: [bucket.bucketName, theme],
-            jobRole: role
+            jobRole: role,
+            executionRole: executionRole
           },
         ),
       });