I added "aws:sourceVpce" condition to policy for ECR Access role of AppRunner as below.
The purpose is to restrict target of policy.
{
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": ""
},
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeImages"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": [
"vpce-xxxxxxxxxxxx",
"vpce-xxxxxxxxxxxx"
]
}
},
"Effect": "Allow",
"Resource": ""
}
],
"Version": "2012-10-17"
}
sourceVpce:
com.amazonaws.myregion.ecr.api
com.amazonaws.myregion.ecr.dkr
Then, AppRunner failed to deploy with the following error.
Is it not possible to use endpoints for ECR access roles?
error:
[AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.
Ingress rule of the security group of the endpoints have permitted "443" from the security group of the vpc connector.
And ECS can use the endpoints with the same setting.
thank you.it has been very helpful.