Closed mazyu36 closed 3 months ago
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Issue # (if applicable)
Closes #26640
Reason for this change
According to the docs, required permissions for an App Runner's AccessRole to access images in ECR repository are the followings:
No.1~3 are granted by the grantPull method of
ecr.Repository
.https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303
Permission for No.5 is granted by the following. Note : It is correct that the resources here is set to
*
(Ref: docs)https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368
At the moment, No.4 permission is missing. So we need to add.
Description of changes
Add a
ecr:DescribeImages
permisison to the AccessRole.Description of how you validated changes
Update a unit test and a integ test.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license