By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

App Runner connection to s3

1

I have deployed my backend API to App Runner. I want this API to be able to read and write to an s3 bucket that I have, but I consistently get timeout errors when performing this operation. I have written python code to read and write from s3 using the boto3 library and locally this works using my own credentials. However when I deploy my API to App Runner the request times out. I have added a bucket policy to allow the App Runner Instance role to read and write, and I have added read / write permissions to the App Runner Instance role. What can I do to resolve this?

Thanks!

Topics
ComputeContainersStorage
Tags
AWS App RunnerS3 Select
Language
English
rePost-User-3735011
asked 2 years ago1332 views
2 Answers
0

I had the same problem. I fixed it by creating an S3 VPCEndpoint, like this in CloudFormation:

S3VpcEndpoint:
    # We need this VPCE type=Gateway so App Runner can reach S3.
    # I'm surprised I need this, as I thought App Runner didn't operate in my VPC
    Type: AWS::EC2::VPCEndpoint
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
      VpcId: !Ref VPC
shentonfreude
answered 5 months ago
  • shentonfreude
    5 months ago

    That was in addition to IAM policies that allowed access; again, from my CloudFormation

          Policies:
      - PolicyName: net-core-instance-role-policy
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action:
              - s3:ListBucket
              - s3:GetBucketLocation
              - s3:ListBucketMultipartUploads # needed?
              - s3:ListBucketVersions         # needed?
            Resource: '*'       # TODO reference our S3 BUCKET ARN
          - Effect: Allow
            Action:
            - s3:DeleteObject
            - s3:GetObject
            - s3:GetObjectAcl
            - s3:PutObject
            - s3:PutObjectAcl
            - s3:ListMultipartUploadParts # needed?
            - s3:AbortMultipartUpload     # needed?
            Resource: '*'       # TODO reference our S3 OBJECT /* ARN
0

Hi,

Because of the timeout error, I'd recommend you to check the Security Groups attached to your App Runner instances if it authorizes outbound connections with HTTP/HTTPS ports.

Thanks

AWS
Julien
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content