How to associate a IAM Role with the container execution like ECS does?

Question

I would like to use something like AWS.ECSCredentials inside my container running on App Runner in other to use AWS services with a provided configured role.  
  
AWS.config.credentials = new AWS.ECSCredentials({ httpOptions: { timeout: 5000 }, maxRetries: 10 });  
  
I found out that there is a `InstanceRoleArn` property on `InstanceConfiguration` settings but I have already tried many roles I created and none of them seems to be accepted by App Runner.

Answer

The trick part is the Allow sts:assumeRole for service tasks.apprunner.amazonaws.com

```yaml
Resources:
    InstanceRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: AppRunnerExecutionRole
        MaxSessionDuration: 28800 # 8h
        ManagedPolicyArns:
            - arn:aws:iam::aws:policy/AmazonS3FullAccess
        AssumeRolePolicyDocument:
          Statement:
            - Effect: Allow
              Action: sts:AssumeRole
              Principal:
                Service: tasks.apprunner.amazonaws.com

    AppRunnerService:
      Type: AWS::AppRunner::Service
      Properties:
        ServiceName: service
        SourceConfiguration:
          AuthenticationConfiguration:
            AccessRoleArn: "arn:aws:iam::xxx:role/service-role/AppRunnerECRAccessRole"
          AutoDeploymentsEnabled: true
          ImageRepository:
            ImageIdentifier: "xxx.dkr.ecr.us-east-1.amazonaws.com/xxx:latest"
            ImageRepositoryType: ECR
            ImageConfiguration:
              Port: 8080
        InstanceConfiguration:
          Cpu: 2048
          Memory: 4096
          InstanceRoleArn:
            Fn::GetAtt: [ InstanceRole, Arn ]
```

How to associate a IAM Role with the container execution like ECS does?

Relevanter Inhalt