When trying to create an apprunner service using aws apprunner create-service --cli-input-json file://./myconfig.json, I get the error in title:
An error occurred (InvalidRequestException) when calling the CreateService operation: Error in assuming access role arn:aws:iam::1234:role/my-role
The myconfig.json I'm using is fairly similar to example json from AWS CreateService docs, & I don't think it's particularly relevant here.
The error seems to imply I should assume the role... but I've already assumed the role with this command from this stackoverflow q/a:
eval $(aws sts assume-role --role-arn arn:aws:iam::1234:role/my-role --role-session-name apprunner-stuff1 --region us-east-1 | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')
This runs without error & when I run:
aws sts get-caller-identity
it outputs the following which looks correct I think:
{
"UserId": "SOME1234NPC:apprunner-stuff1",
"Account": "1234",
"Arn": "arn:aws:sts::1234:assumed-role/my-role/apprunner-stuff1"
}
At this point, the error message doesn't make sense & I'm wondering what dumb IAM thing am I doing wrong?
Apprunner specific wise - I've attempted to to give my-role all the permissions from AppRunner IAM doc to run CreateService, but I could easily have missed some. The error message here doesn't seem to indicate that the role doesn't have sufficient permissions, but might be relevant.
Instead of trying to create a role following IAM doc permissions, I followed the UI AppRunner guide here. That created a role that was auto named AppRunnerECRAccessRole. I used that role as my AccessRoleArn in the json configuration, making that json config section look like:
"AuthenticationConfiguration": {
"AccessRoleArn": "arn:aws:iam::12345:role/service-role/AppRunnerECRAccessRole"
},
I followed this stackoverflow q/a to allow my user / group to assume the AppRunnerECRAccessRole, with a policy applied to the user/group like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::12345:role/my-role",
"arn:aws:iam::12345:role/service-role/AppRunnerECRAccessRole"
]
}
]
}
After this I was just able to run:
aws apprunner create-service --cli-input-json file://./myconfig-with-ui-role-arn.json
& it worked! (without even assuming the role via eval command). Though I gave the user access to both roles, creating only worked via the new AppRunnerECRAccessRole role. So I think the takeaway / main answer is to create an AppRunner service via UI & then reuse its service role.