I've got a container that I'm trying to have executed by AppRunner. When I don't specify an instance role, the service fails as expected due to lack of permissions to access AWS resources, in this case SecretsManager.
When I link a custom role with the required IAM permissions, the service fails to start altogether after halting for about 5 minutes. Here are the logs:
11-01-2022 03:11:49 PM npm ERR! /root/.npm/_logs/2022-11-01T22_08_00_359Z-debug-0.log
11-01-2022 03:11:49 PM npm ERR! A complete log of this run can be found in:
11-01-2022 03:11:49 PM npm ERR! command sh -c -- npx prisma migrate deploy && node ./dist/src/api.host/main
11-01-2022 03:11:49 PM npm ERR! signal SIGTERM
11-01-2022 03:11:49 PM npm ERR! command failed
11-01-2022 03:11:49 PM npm ERR! path /
11-01-2022 03:08:06 PM No pending migrations to apply.
11-01-2022 03:08:05 PM 33 migrations found...
11-01-2022 03:08:05 PM Datasource "db": PostgreSQL database "... schema "public" at "..."
11-01-2022 03:08:05 PM Prisma schema loaded from prisma/schema.prisma
11-01-2022 03:08:00 PM > npx prisma migrate deploy && node ./dist/.../main
11-01-2022 03:08:00 PM > backend@0.0.1 start:prod
I've verified that the app runner service is connected to the relevant IAM role with aws apprunner describe-service --service-arn ...
which shows that
{
"Service": {
"InstanceConfiguration": {
"InstanceRoleArn": "...what_I_expect..."
}
}
}
But when I look at the IAM role in the console, it shows that it's never been used.
Any thoughts?