AWS AppRunner getting "Unable to locate credentials" error when calling SNS in the cloud

Question

I have my application deployed on AWS AppRunner, which will call SNS to send an email.

mysns = boto3.client(
        "sns", 
    )
    response = mysns.publish(
        TopicArn = self.TOPIC_ARN,
        Message=message,
        Subject=subject,
    )

I have set up an IAM role and gave it the policies `AmazonSNSFullAccess` and `AWSAppRunnerServicePolicyForECRAccess`

Trust relationship is as follows:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "build.apprunner.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }

However, it still keeps giving an error `botocore.exceptions.NoCredentialsError: Unable to locate credentials`.

Riku_Kobayashi · Accepted Answer

Hello.

App Runner has Access roles and instance roles.  
What you are setting is an access role, which is used to retrieve container images from ECR etc.  
To access AWS services from an application inside a container, you need to create and attach an instance role.  
The instance role trust policy looks like this:  
https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles  
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

AWS AppRunner getting "Unable to locate credentials" error when calling SNS in the cloud

Add your answer

Relevant content