search

awslabs / amazon-app-runner-deploy

Registers an AWS AppRunner Service and deploys the application using the source code of a given GitHub repository. Supports both source code and Docker image based service
MIT No Attribution
50 stars 32 forks source link

Failed to assume instance-role-arn #43

Closed pjoshi-cs closed 1 year ago

pjoshi-cs commented 1 year ago

I followed the README and https://aws.amazon.com/blogs/containers/deploy-applications-in-aws-app-runner-with-github-actions/ documentation to implement GitHub action flow for image-based service. I am also successfully able to implement copy-env-vars. While implementing copy-secret-env-vars first it errored about not including instance-role-arn. I tried to follow a similar approach to create a role with SSM Read Only access and used that ARN as instance-role-arn. But it failed with error Failed to assume instance-role-arn.

Trusted Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Permission: (AmazonSSMReadOnlyAccess) { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:Describe", "ssm:Get", "ssm:List" ], "Resource": "" } ] }

How to resolve this issue or what is the correct role should be used with instance-role-arn?

DmitryGulin commented 1 year ago

Hi @pjoshi-cs , Your role declares SSM service ssm.amazonaws.com, not AppRunner tasks.apprunner.amazonaws.com (!!!), as a trusted entity for the role. Please refer to App Runner IAM roles | Instance role chapter for the proper Trust Policy definition.