Is it possible to add "aws:sourceVpce" condition to ECR Access role of AppRunner?

Question

I added "aws:sourceVpce" condition to policy for ECR Access role of AppRunner as below.
The purpose is to restrict target of policy.

{
    "Statement": [
        {
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:DescribeImages"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": [
                        "vpce-xxxxxxxxxxxx",
                        "vpce-xxxxxxxxxxxx"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

sourceVpce:  
com.amazonaws.myregion.ecr.api  
com.amazonaws.myregion.ecr.dkr

Then, AppRunner failed to deploy with the following error.  
Is it not possible to use endpoints for ECR access roles?

error:
[AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.

Ingress rule of the security group of the endpoints have permitted "443" from the security group of the vpc connector.
And ECS can use the endpoints with the same setting.

Accepted Answer

Hello,

On [this page](https://docs.aws.amazon.com/apprunner/latest/dg/security-vpce.html), you will see: "**VPC endpoint policies are not supported for App Runner**. By default, full access to App Runner is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to App Runner through the interface endpoint".

Is it possible to add "aws:sourceVpce" condition to ECR Access role of AppRunner?

Relevanter Inhalt