search

awslabs / amazon-app-runner-deploy

Registers an AWS AppRunner Service and deploys the application using the source code of a given GitHub repository. Supports both source code and Docker image based service
MIT No Attribution
50 stars 32 forks source link

README.md ROLE_ARN mismatch #49

Closed ajay-bhargava closed 1 year ago

ajay-bhargava commented 1 year ago

Reviewing the .yml file in the README.md of this repo: 

name: Deploy to App Runner
on:
  push:
    branches: [main] # Trigger workflow on git push to main branch
  workflow_dispatch: # Allow manual invocation of the workflow

jobs:  
  deploy:
    runs-on: ubuntu-latest
    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:      
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Configure AWS credentials
        id: aws-credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          # Use GitHub OIDC provider
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_REGION }}

        ....

      - name: Deploy to App Runner Image
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        with:
          service: app-runner-git-deploy-service
          image: ${{ steps.build-image.outputs.image }}
          access-role-arn: ${{ secrets.ROLE_ARN }}

      - name: App Runner URL
        run: echo "App runner URL ${{ steps.deploy-apprunner.outputs.service-url }}"

Is there a discrepancy between the ${{ secrets.AWS_ASSUME_ROLE_ARN }} in configure-aws-credentials and access-role-arn: ${{ secrets.ROLE_ARN }}?

Thanks for clarifying.

ajay-bhargava commented 1 year ago

Tried changing that parameter referenced here to ${{secrets.AWS_ASSUME_ROLE_ARN}} but got:

Error: User: arn:aws:sts::{HIDDEN}:assumed-role/github-actions-ecr-and-app-runner/GitHubActions is not authorized to perform: iam:PassRole on resource: *** because no identity-based policy allows the iam:PassRole action

[!WARNING] What should the ROLE_ARN be if following OIDC provider?

DmitryGulin commented 1 year ago

Hi @ajay-bhargava ,

secrets.AWS_ASSUME_ROLE_ARN in your example is assumed by GitHub agent and provides it with necessary permissions to execute all subsequent AWS actions. Those actions are not necessarily limited to a single AppRunner service configuration, but can include other AWS resources as well. As per Configuring OpenID Connect in Amazon Web Services recommendations, that role must be limited to your repository scope only (with token.actions.githubusercontent.com:sub condition).

On the other hand secrets.ROLE_ARN is expected to reference a very specific role that will be assumed by AWS AppRunner instance and allow it to work with AWS ECR repositories. See App Runner IAM roles for more details as well as policy and trust configuration recommendations.

ajay-bhargava commented 1 year ago

Thanks! The above is from your README.md.

Interpreting what you said, it seems these steps are what you're saying:

  1. Define an OpenID Connect (OIDC) provider for secrets.AWS_ASSUME_ROLE_ARN
  2. For secrets.ROLE_ARN use the privileges outlined here to create a separate role for this secret.

Is there a chance that the app-runner-deploy action may inherit the ARN from 1 for 2? Even if I hardcode the Role ARN defined in 2 in the requisite access-role-arn I end up having the GitHub action use the ARN from aws-actions/configure-aws-credentials be used instead.

ajay-bhargava commented 1 year ago

Ah, I figured it out. When defining the OIDC provider you need to create a custom policy. This is the one that worked for me. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "apprunner:ListServices",
                "apprunner:CreateService",
                "apprunner:UpdateService",
                "apprunner:DescribeService",
                "apprunner:TagResource",
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}

For one reason or another the AWSAppRunnerFullAccess policy is not sufficient. Hope this helps anyone else in the future. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "apprunner.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "apprunner.amazonaws.com"
                }
            }
        },
        {
            "Sid": "AppRunnerAdminAccess",
            "Effect": "Allow",
            "Action": "apprunner:*",
            "Resource": "*"
        }
    ]
}