I have a small app that reads from DynamoDB and is deployed with AppRunner. I'm having trouble giving AppRunner access to Dynamo. I created an IAM role with the policies I think I need but it does not show up when I open the security configuration for this AppRunner service.

CodePudding user response：

Make sure you read and understand the documentation. To access DynamoDb you need to create an appropriate policy and attach it to your service's instance role.

The instance role is an optional role that App Runner uses to provide permissions to AWS service actions that your application code calls. Before creating an App Runner service, use IAM to create a service role with the permissions that your application code needs. You can then pass this role to App Runner in the CreateService API, or when using the App Runner console to create a service.

The CreateService API is documented here. You need to find the ARN of the role and provide it to the InstanceRoleArn parameter.

CodePudding user response：

I would guess that your role is lacking a trust relationship for App Runner, e.g. meaning the right configuration that allows an App Runner Instance to assume this role.

To fix that, you would go to your role, then trust relation ship, then edit. Here is an example, how that trust relationship should look like to be selectable as instance role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You can also take a look at the AWS App Runner Workshop.

They use this CloudFormation template to create an App Runner instance role.