Search code examples
amazon-web-servicesamazon-iamamazon-app-runner

Error in assuming access role arn:aws:iam::1234:role/my-role

When trying to create an apprunner service using aws apprunner create-service --cli-input-json file://./myconfig.json, I get the error in title:

An error occurred (InvalidRequestException) when calling the CreateService operation: Error in assuming access role arn:aws:iam::1234:role/my-role

The myconfig.json I'm using is fairly similar to example json from AWS CreateService docs, & I don't think it's particularly relevant here.

The error seems to imply I should assume the role... but I've already assumed the role with this command from this stackoverflow q/a:

eval $(aws sts assume-role --role-arn arn:aws:iam::1234:role/my-role --role-session-name apprunner-stuff1 --region us-east-1 | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')

This runs without error & when I run:

aws sts get-caller-identity

it outputs the following which looks correct I think:

{
    "UserId": "SOME1234NPC:apprunner-stuff1",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/my-role/apprunner-stuff1"
}

At this point, the error message doesn't make sense & I'm wondering what dumb IAM thing am I doing wrong?

Apprunner specific wise - I've attempted to to give my-role all the permissions from AppRunner IAM doc to run CreateService, but I could easily have missed some. The error message here doesn't seem to indicate that the role doesn't have sufficient permissions, but might be relevant.

Solution

  • Instead of trying to create a role following IAM doc permissions, I followed the UI AppRunner guide here. That created a role that was auto named AppRunnerECRAccessRole. I used that role as my AccessRoleArn in the json configuration, making that json config section look like:

        "AuthenticationConfiguration": {
      "AccessRoleArn": "arn:aws:iam::12345:role/service-role/AppRunnerECRAccessRole"
    },

    I followed this stackoverflow q/a to allow my user / group to assume the AppRunnerECRAccessRole, with a policy applied to the user/group like:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::12345:role/my-role",
                "arn:aws:iam::12345:role/service-role/AppRunnerECRAccessRole"
            ]
        }
    ]
}

    After this I was just able to run:

    aws apprunner create-service --cli-input-json file://./myconfig-with-ui-role-arn.json

    & it worked! (without even assuming the role via eval command). Though I gave the user access to both roles, creating only worked via the new AppRunnerECRAccessRole role. So I think the takeaway / main answer is to create an AppRunner service via UI & then reuse its service role.