AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Difficulties creating AppRunner service in second region

0
  1. Can you create a new an AppRunner service in a separate region from an ECR image? I read a bit about replication, but would like to get it working without additional complexity if possible. Does additional region introduce any additional permissions issues?

Otherwise, here's my current setup:

I have an AppRunner service running successfully in one region. I'm trying to spin up a service based off the same image in a second region, but I get problems similar to this repost question. Specifically, the service is created but goes into OPERATION_IN_PROGRESS for a while until it dies & goes to status "Create failed". Looking in deployment logs for event "Create service", I see:

01-25-2022 01:58:36 PM [AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.
01-25-2022 01:48:54 PM [AppRunner] Starting to pull your application image.

Following advice of the other re:Post question, I tried looking in Cloud Trail events originating from event source "ecr.amazonaws.com". I have tons of GetAuthorizationToken events, but looking at them doesn't give me much interesting information - they seem to pass & are using the role I expect them to.

A bit about permissions - I'm using the default AppRunnerECRAccessRole which I created through the UI when creating an AWS service. I'm reusing it to try & create different services. It has a policy with this JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Any additional debugging tips for this specific scenario? If there is more generic advice for question #1 I'll try to follow it. I would like to "create a new service with same image in a region distinct from the image's region" if possible atm (even if that is inefficient long-term).

주제
컨테이너컴퓨팅
태그
아마존 엘라스틱 컨테이너 레지스트리(ECR)AWS App Runner
언어
English
howellz
질문됨 2년 전433회 조회
1개 답변
0
수락된 답변

As far as I can tell this is a bug or design issue with AppRunner.

TL;DR - I suggest you enable ECR replication as needed.

The login credentials of ECR is region specific.

Based on CloudTrail logs, you can see that AppRunner only issues GetAuthorizationToken API call to the ECR API endpoint located in the region where the AppRunner service was originally created. This can be verified by changing the regions in the CloudTrail console and filter events.

That credential is not valid for ECR repos located in a different region, and evidently the AppRunner service keep retrying the API call to get new auth credential until the service creation timeout, around 10 mins.

Jason_S
답변함 2년 전
profile picture
전문가
Antonio_Lagrotteria
검토됨 한 달 전
  • MichaelFischer 전문가
    2년 전

    It is also a best practice to obtain container images from an ECR repository that is located in the same region you are running your containers in. AWS Regions are designed to be separate failure domains, so that if region A suffers a degradation in service, resources in region B will be unaffected. If you create inter-regional dependencies -- for example, by pulling container images from a different region -- then you are increasing your operational risk.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠