By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

0

Not really a question, more of a 'bug report'. Solution is provided in this post. arn:aws:iam::aws:policy/AWSAppRunnerFullAccess is missing permission to create AWSServiceRoleForAppRunnerNetworking service role. That makes it impossible to create vpc connector despite using FullAccess policy. Error message doesn't really help, as pointed by it policy is in fact attached.

Steps to reproduce:

  1. Use user or assume role with AWSAppRunnerFullAccess permissions.
  2. Run
aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups>

Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions."

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term, I believe it should be added to AWSAppRunnerFullAccess.

Topics
Security, Identity, & ComplianceManagement & GovernanceComputeContainers
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS App RunnerIAM Policies
Language
English
Pszem
asked a year ago680 views
2 Answers
0
Accepted Answer

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term - to be fixed by AWS :)

Pszem
answered a year ago
0

I'm using CDK and I added the allow the statement to both cdk-qualifier-cfn-exec-role-*****-region and cdk-qualifier-deploy-role-*****-region yet it still fail. When deploying with CDK which role should contain this policy statement?

Resource handler returned message: "AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions.

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner. Long term - to be fixed by AWS :)

muhamadto
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content