feat: Add ECR Public permissions to EKS Auto Mode node IAM role (#3665)

fix: add ECR Public permissions to node role Include permissions for authenticated container pulls from public ECR in the node roles used for EKS Auto clusters. Without them, the pulls will still succeed, but they can be rate-limited, resulting in slow pod startup times.
SCT-Engineering · Apr 1, 2026 · c07c26c · c07c26c
1 parent 307dcf3
commit c07c26c
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -921,8 +921,9 @@ resource "aws_iam_role" "eks_auto" {
 # Policies attached ref https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
 resource "aws_iam_role_policy_attachment" "eks_auto" {
   for_each = { for k, v in {
-    AmazonEKSWorkerNodeMinimalPolicy   = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodeMinimalPolicy",
-    AmazonEC2ContainerRegistryPullOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly",
+    AmazonEKSWorkerNodeMinimalPolicy             = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodeMinimalPolicy",
+    AmazonEC2ContainerRegistryPullOnly           = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly",
+    AmazonElasticContainerRegistryPublicReadOnly = "${local.iam_role_policy_prefix}/AmazonElasticContainerRegistryPublicReadOnly",
   } : k => v if local.create_node_iam_role }
 
   policy_arn = each.value