Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

0

Not really a question, more of a 'bug report'. Solution is provided in this post. arn:aws:iam::aws:policy/AWSAppRunnerFullAccess is missing permission to create AWSServiceRoleForAppRunnerNetworking service role. That makes it impossible to create vpc connector despite using FullAccess policy. Error message doesn't really help, as pointed by it policy is in fact attached.

Steps to reproduce:

  1. Use user or assume role with AWSAppRunnerFullAccess permissions.
  2. Run
aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups>

Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions."

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term, I believe it should be added to AWSAppRunnerFullAccess.

Argomenti
Sicurezza, identità e conformitàGestione e amministrazioneComputazionaliContainer
Tag
Gestione identità e accesso AWSInterfaccia a riga di comando AWSAWS App RunnerPolitiche IAM
Lingua
English
Pszem
posta 2 anni fa696 visualizzazioni
2 Risposte
0
Risposta accettata

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term - to be fixed by AWS :)

Pszem
con risposta 2 anni fa
0

I'm using CDK and I added the allow the statement to both cdk-qualifier-cfn-exec-role-*****-region and cdk-qualifier-deploy-role-*****-region yet it still fail. When deploying with CDK which role should contain this policy statement?

Resource handler returned message: "AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions.

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner. Long term - to be fixed by AWS :)

muhamadto
con risposta 3 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente