From c07c26c18598182785ec36df2b30d05fa7a016b4 Mon Sep 17 00:00:00 2001
From: Fletcher Woodruff <fletcherwoodruff@gmail.com>
Date: Wed, 1 Apr 2026 16:54:32 -0700
Subject: [PATCH] feat: Add ECR Public permissions to EKS Auto Mode node IAM
 role (#3665)

fix: add ECR Public permissions to node role

Include permissions for authenticated container pulls from
public ECR in the node roles used for EKS Auto clusters. Without them,
the pulls will still succeed, but they can be rate-limited, resulting
in slow pod startup times.
---
 main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 215f43e..cbe8366 100644
--- a/main.tf
+++ b/main.tf
@@ -921,8 +921,9 @@ resource "aws_iam_role" "eks_auto" {
 # Policies attached ref https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
 resource "aws_iam_role_policy_attachment" "eks_auto" {
   for_each = { for k, v in {
-    AmazonEKSWorkerNodeMinimalPolicy   = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodeMinimalPolicy",
-    AmazonEC2ContainerRegistryPullOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly",
+    AmazonEKSWorkerNodeMinimalPolicy             = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodeMinimalPolicy",
+    AmazonEC2ContainerRegistryPullOnly           = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly",
+    AmazonElasticContainerRegistryPublicReadOnly = "${local.iam_role_policy_prefix}/AmazonElasticContainerRegistryPublicReadOnly",
   } : k => v if local.create_node_iam_role }
 
   policy_arn = each.value