Skip to content

Create IAM roles

This section shows you how to use the IAM stack to create IAM roles for authenticating to ECR from your application repository.

Before you begin

You should already have an IAM stack in your infrastructure repository. In this stack you should have a file named If you don't:

ok get-template

Step 1: Configure the policies

Include the name of the ECR repository you wish to push images to by adding it to the ecr_repository_names local variable:

ecr_repository_names = [

The Terraform code will generate a policy for each of the repositories you add here. The next step will show you how to create a role and add policies to it.

Step 2: Configure the roles

Add the policies to the repositories and GitHub deployment environments that need to push to ECR:

repositories = {

  "treasures" = { # (1)!
    "gh_environments" = {
      "${local.environment}-ecr" = { # (2)!
        "policies" = [ # (3)!

  1. Here treasures is the name of the application repository where you're running the workflow.
  2. This could evaluate to pirates-dev-ecr and is the name of the GitHub deployment environment that you configured earlier.
  3. This is the ARN of one of the generated policies that allows the deployment environment to push to ECR. You can add more policies here if you need to.

Step 3: Apply the configuration

Run terraform apply to create the roles and policies. Keep the ARN of the role ready for the next part of the guide. You need to add it as a secret to the application repository.