By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Difficulties creating AppRunner service in second region

0
  1. Can you create a new an AppRunner service in a separate region from an ECR image? I read a bit about replication, but would like to get it working without additional complexity if possible. Does additional region introduce any additional permissions issues?

Otherwise, here's my current setup:

I have an AppRunner service running successfully in one region. I'm trying to spin up a service based off the same image in a second region, but I get problems similar to this repost question. Specifically, the service is created but goes into OPERATION_IN_PROGRESS for a while until it dies & goes to status "Create failed". Looking in deployment logs for event "Create service", I see:

01-25-2022 01:58:36 PM [AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.
01-25-2022 01:48:54 PM [AppRunner] Starting to pull your application image.

Following advice of the other re:Post question, I tried looking in Cloud Trail events originating from event source "ecr.amazonaws.com". I have tons of GetAuthorizationToken events, but looking at them doesn't give me much interesting information - they seem to pass & are using the role I expect them to.

A bit about permissions - I'm using the default AppRunnerECRAccessRole which I created through the UI when creating an AWS service. I'm reusing it to try & create different services. It has a policy with this JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Any additional debugging tips for this specific scenario? If there is more generic advice for question #1 I'll try to follow it. I would like to "create a new service with same image in a region distinct from the image's region" if possible atm (even if that is inefficient long-term).

Topics
ContainersCompute
Tags
Amazon Elastic Container Registry (ECR)AWS App Runner
Language
English
howellz
asked 2 years ago423 views
1 Answer
0
Accepted Answer

As far as I can tell this is a bug or design issue with AppRunner.

TL;DR - I suggest you enable ECR replication as needed.

The login credentials of ECR is region specific.

Based on CloudTrail logs, you can see that AppRunner only issues GetAuthorizationToken API call to the ECR API endpoint located in the region where the AppRunner service was originally created. This can be verified by changing the regions in the CloudTrail console and filter events.

That credential is not valid for ECR repos located in a different region, and evidently the AppRunner service keep retrying the API call to get new auth credential until the service creation timeout, around 10 mins.

Jason_S
answered 2 years ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 22 days ago
  • MichaelFischer EXPERT
    2 years ago

    It is also a best practice to obtain container images from an ECR repository that is located in the same region you are running your containers in. AWS Regions are designed to be separate failure domains, so that if region A suffers a degradation in service, resources in region B will be unaffected. If you create inter-regional dependencies -- for example, by pulling container images from a different region -- then you are increasing your operational risk.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content