Hello,
I have an application running in App Runner. It's all been working ok - happy with the service.
I recently wanted to use SSM parameter store to securely store the RDS database password. At the moment, it's stored in plain text as an environment variable in App Runner.
So I created my SSM parameter: I've created the parameter as a SecureString using the default KMS key for the account.
Then, I created an instance role for App Runner. Policies are:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*"
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
and the trust entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
And then I updated the configuration of App Runner to use this SSM parameter and the instance role.
But my application keeps failing to start... it says it can't connect to the database. I can't see anything else in the logs about SSM, but I assume that is the problem.
After spending half a day on this, I gave up and went back to securing the RDS password as plain text environment variable. Everything works again.
But now I need my application to access S3. So I again add a policy to the instance role. This time the AwsS3FullAccess role.
My application starts, but I get a timeout when I use the functionality that tries to access S3:
Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Connect to s3.ap-southeast-2.amazonaws.com:443 [blah blah] failed: Connect timed out
So I guess I'm doing something fundamentally wrong when it comes to setting up this App Runner instance role? I cannot make it work for SSM parameters or S3. What am I missing?
Extra info:
- I am using the AWS console, so bonus points if you can provide any guidance in that context
- The security group for my App Runner allows all outgoing traffic
This was, in fact, the answer!
I was skeptical at first, because as I mention above, I already had a working RDS connection.
But it was explained to me (I still don't really understand) that when using a plain text RDS password, it was using an internal connection to RDS. But when I switched to using SSM, it used the public internet (???).
Anyway...
AWS Support talked me through it. I needed to add some private subnets, a new routing table, a NAT gateway, tie all those things together, create a new App Runner VPC connector that used those subnets and then... it worked!