Add aws_use_instance_role flag

[jprelph]

This is in relation to the bug discussed here: #277

The current default behaviour doesn't allow EC2 IAM Roles to be assumed directly, I have added an aws_use_instance_role flag which - when set to true alongside the instance name - ignores other cred settings when authenticating with ECR to allow the instance role to be assumed.

[xtremerui]

Thanks for the PR. Please refer to #287 (comment).

[jprelph]

Thanks for the PR. Please refer to #287 (comment).

Thanks - I'd not seen that in relation to this, but having a look through that I'm not sure why the particular risk in terms of using the metadata service here would be. This isn't a case of using the EC2 IAM role to pull in some credentials that then are templated in anywhere (ie. by passing back a secret access key/access key id which we then plug in)- it's relying on the behaviour of the aws-sdk to generate a session token as part of the call to the aws service. I don't see fundamentally what's different from the workers being capable of having different configuration (ie. different DNS servers, env vars etc.) and/or how prototypes really changes the risk there?

Sorry, had chance to read up properly now and can see the issue with the versioning of resources. It's probably pushed me in another direction with how to solve this (I think if we wanted to move Concourse to Kubernetes this would stand as a blocker given k2iam/more team-scoped workers but given we're using EC2 directly instance roles were relatively coarse, so alternatives had upsides)

[taylorsilva]

Closing this issue and it won't be merged