How can I create an AWS AppRunner role that allows my application to query from DynamoDB?

Question

I have a small app that reads from DynamoDB and is deployed with AppRunner. I'm having trouble giving AppRunner access to Dynamo. I created an IAM role with the policies I think I need but it does not show up when I open the security configuration for this AppRunner service.

score 12 · Answer 1 · answered Nov 24 '21 at 07:44

12

I would guess that your role is lacking a trust relationship for App Runner, e.g. meaning the right configuration that allows an App Runner Instance to assume this role.

To fix that, you would go to your role, then trust relation ship, then edit. Here is an example, how that trust relationship should look like to be selectable as instance role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You can also take a look at the AWS App Runner Workshop.

They use this CloudFormation template to create an App Runner instance role.

answered Nov 24 '21 at 07:44

Julian Sprung

121
3

3

This is the answer. The OP is referring to the Security section of the App Runner configuration wizard. The AWS Documentation refers to the "apprunner.amazonaws.com" service principal name but the "tasks.apprunner.amazonaws.com" service principal name is what is actually needed in order for the IAM Role to show up in the drop down list when configuring app runner security via the web console. Thanks for your answer. – dsandor Dec 18 '21 at 16:43
This worked for me when there was no service role appearing in the dropdown section of the Apprunner's console. To add a bit more detail to this answer, there is also no Apprunner option in the "AWS Service" option when creating a new role. The "Custom Trust Policy" option was how I created a version that appeared in the Apprunner dropdown menu. – alphazwest Feb 18 '23 at 14:55
My problem was that I had "build.apprunner.amazonaws.com" instead of "tasks.apprunner.amazonaws.com" for the instance role. "build.apprunner.amazonaws.com" is used for the ECR role – Kappacake Feb 27 '23 at 15:45

score 3 · Answer 2 · answered May 25 '22 at 06:36

I was there too. Here is the cli version of Julian Spung's answer. (Ref: https://zenn.dev/becominn/articles/3c06bc732f8775)

Create role file

cat << EOF > apprunner-role-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

Create Role

aws iam create-role \
 --role-name apprunner-role \
 --assume-role-policy-document file://apprunner-role-policy.json

Attach your service permissions

aws iam attach-role-policy \
 --role-name apprunner-role \
 --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess

Jöcker · Answer 3 · 2023-04-01T14:28:47.417

Here is a more concrete code example with the cdk:

  const dockerImageAsset = new DockerImageAsset(
    scope,
    `AppDockerImage`,
    {
      directory: path.join(__dirname, "../"),
      platform: Platform.LINUX_AMD64,
    }
  );
  const instanceRole = new iam.Role(scope, 'AppRunnerInstanceRole', {
    assumedBy: new iam.ServicePrincipal('tasks.apprunner.amazonaws.com')
  })

  const accessRole = new iam.Role(scope, 'AppRunnerBuildRole', {
    assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com')
  })
  const myTable = dynamodb.Table.fromTableName(
    scope,
    `MyDb`,
    `MyDb`
  );
  const policy = new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: [
      "dynamodb:GetItem",
      "dynamodb:Query",
      "dynamodb:Scan",
      "dynamodb:BatchGetItem",
    ],
    resources: [myTable.tableArn],
  });
  instanceRole.addToPolicy(policy);

  new Service(scope, "service", {
    serviceName: `App${suffix.toLowerCase()}`,
    instanceRole,
    accessRole,
    source: Source.fromAsset({
      imageConfiguration: {
        port: 3000,
        environmentVariables: {
          CONTAINER: "true",
          NODE_ENV: "production",
        },
      },
      asset: dockerImageAsset,
    }),
  });

Thanks! This should have been in the CDK docs :) – Nima Apr 28 '23 at 12:03 — Nima, Apr 28 '23 at 12:03

kgiannakakis · Answer 4 · 2021-11-17T20:02:50.250

0

Make sure you read and understand the documentation. To access DynamoDb you need to create an appropriate policy and attach it to your service's instance role.

The instance role is an optional role that App Runner uses to provide permissions to AWS service actions that your application code calls. Before creating an App Runner service, use IAM to create a service role with the permissions that your application code needs. You can then pass this role to App Runner in the CreateService API, or when using the App Runner console to create a service.

The CreateService API is documented here. You need to find the ARN of the role and provide it to the InstanceRoleArn parameter.

edited Nov 17 '21 at 20:02

answered Nov 17 '21 at 18:51

kgiannakakis

103,016
27
158
194

I did exaclty that. The problem is that roles don't show up in the CreateService API :( Is there a reason why they are not showing up? – dave Nov 17 '21 at 19:43
What do you mean it doesn't show up? It is the InstanceRoleArn parameter. – kgiannakakis Nov 17 '21 at 20:03
I promise. I have refreshed, created a new AppRunner service, tried everything... the role is not there – dave Nov 17 '21 at 20:24
@dave refer to Julian Spung's answer. It solves the problem. – dsandor Dec 18 '21 at 16:45

How can I create an AWS AppRunner role that allows my application to query from DynamoDB?

4 Answers4