AWS App Runner - Error in assuming instance role
When running my TF script to create an AWS App Runner service I'm getting this error:
InvalidRequestException: Error in assuming instance role arn:aws:iam::000000000000:role/MyAppRunnerServiceRole
I created the role policy trust using AppRunnerECRAccessRole as reference, which is auto-generated by the console, but using either that or my own below I'm getting the same issue.
Here's my TF code:
### IAM ###
resource "aws_iam_role" "app_runner" {
name = "MyAppRunnerServiceRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "build.apprunner.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "app_runner" {
role = aws_iam_role.app_runner.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
}
### App Runner ###
resource "aws_apprunner_service" "main" {
service_name = "sandbox-service"
source_configuration {
image_repository {
image_configuration {
port = "5000"
}
image_identifier = "${aws_ecr_repository.main.repository_url}:latest"
image_repository_type = "ECR"
}
}
instance_configuration {
instance_role_arn = aws_iam_role.app_runner.arn
}
}
This is the AppRunnerECRAccessRole which is auto-generated by the Console when creating a new App Runner service. I would assume this same configuration would work, but it isn't.
It seems that the access and instance roles were mixed up in your code. Based on the AWS documentation [1], you need to change the trust policy to be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The permissions policy should probably remain the same, but for the sake of the completeness of the answer, it should be something along the lines:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
You can of course limit everything except the ecr:GetAuthorizationToken to your ECR repo. The ecr:GetAuthroziationToken has to be set for "Resource": "*".
Update: Correct placement of the Access role within the source configuration section for the "build.apprunner.amazonaws.com" service
resource "aws_apprunner_service" "example" {
source_configuration {
authentication_configuration {
access_role_arn = aws_iam_role.access_role.arn
}
}
}
- Cannot Connect To AWS Elasticache Redis Cluster From Local Machine
- How do i access AWS SAM-CLI through bash on windows?
- Reporting AWS Tools RDS or Redshift?
- What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?
- Configure Selenium Nodes without a JSON file
- How to bypass expectation of S3 server 100-contiune response in Boto3 put_object method
- Deleting Perforce depot from AWS EC2 server does not free up space on EC2
- Middy is not getting a secret from Secret Manager in a NodeJS AWS Lambda
- Can I include a display name when sending email from the AWS SES Javascript v3 SDK?
- Is it possible to add fields to struct in an existing AWS Athena table?
- AWS SNS - Message missing a phone number
- How to run a one-off task on AWS ECS Fargate?
- AWS FIFO queues subscription with SNS: passing message group id
- Is it necessary to add health-check config for ecs.CfnTaskDefinition.ContainerDefinitionProperty?
- AWS CLI to get all matching CloudFronts using the "--query" option?
- What is the best way to read a csv and text file from S3 on AWS glue without having to read it as a Dynamic daataframe?
- Why is CloudFormation saying AlreadyExists when creating a AWS::ApiGateway::Authorizer
- AWS sts assume role in one command
- GetSecretValue, get identity: get credentials: failed to refresh cached credentials
- Does PutACLAsync make a copy of an object?
- How to use AWS CodeArtifact *within* A Dockerfile in AWSCodeBuild
- AWS CodeBuild: Accessing CodeCommit repository in another account?
- AWS Java SDK SSL Certificates
- How can I use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to perform actions in AWS through a Jenkins pipeline?
- Syntax error when executing Invoke-DDBQuery to fetch dynamodb record using Powershell
- How can I delete a specific record from my AWS Glue table?
- Start cfn-init in Ubuntu instance with cloudformation (yaml)
- How to check ephemeral storage that is allocated to EKS node
- Permission Error Running Container in AWS CodeBuild
- retrieve list of urls from Amazon S3 bucket using R