Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

0

Not really a question, more of a 'bug report'. Solution is provided in this post. arn:aws:iam::aws:policy/AWSAppRunnerFullAccess is missing permission to create AWSServiceRoleForAppRunnerNetworking service role. That makes it impossible to create vpc connector despite using FullAccess policy. Error message doesn't really help, as pointed by it policy is in fact attached.

Steps to reproduce:

  1. Use user or assume role with AWSAppRunnerFullAccess permissions.
  2. Run
aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups>

Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions."

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term, I believe it should be added to AWSAppRunnerFullAccess.

Tópicos
Segurança, identidade e conformidadeGestão e governançaComputaçãoContêineres
Tags
AWS Identity and Access ManagementInterface da linha de comando da AWSAWS App RunnerPolíticas do IAM
Idioma
English
Pszem
feita há 2 anos696 visualizações
2 Respostas
0
Resposta aceita

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term - to be fixed by AWS :)

Pszem
respondido há 2 anos
0

I'm using CDK and I added the allow the statement to both cdk-qualifier-cfn-exec-role-*****-region and cdk-qualifier-deploy-role-*****-region yet it still fail. When deploying with CDK which role should contain this policy statement?

Resource handler returned message: "AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions.

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner. Long term - to be fixed by AWS :)

muhamadto
respondido há 3 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante