By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

App Runner Instance Role Problems

0

Hello,

I have an application running in App Runner. It's all been working ok - happy with the service.

I recently wanted to use SSM parameter store to securely store the RDS database password. At the moment, it's stored in plain text as an environment variable in App Runner.

So I created my SSM parameter: I've created the parameter as a SecureString using the default KMS key for the account.

Then, I created an instance role for App Runner. Policies are:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*"
            ],
            "Resource": "*"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "*"
        }
    ]
}

and the trust entities:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "tasks.apprunner.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And then I updated the configuration of App Runner to use this SSM parameter and the instance role.

But my application keeps failing to start... it says it can't connect to the database. I can't see anything else in the logs about SSM, but I assume that is the problem.

After spending half a day on this, I gave up and went back to securing the RDS password as plain text environment variable. Everything works again.

But now I need my application to access S3. So I again add a policy to the instance role. This time the AwsS3FullAccess role.

My application starts, but I get a timeout when I use the functionality that tries to access S3:

Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Connect to s3.ap-southeast-2.amazonaws.com:443 [blah blah] failed: Connect timed out

So I guess I'm doing something fundamentally wrong when it comes to setting up this App Runner instance role? I cannot make it work for SSM parameters or S3. What am I missing?

Extra info:

  • I am using the AWS console, so bonus points if you can provide any guidance in that context
  • The security group for my App Runner allows all outgoing traffic
Topics
Security, Identity, & ComplianceComputeContainers
Tags
AWS Identity and Access ManagementAWS App Runner
Language
English
edX
asked 6 months ago324 views
1 Answer
0
Accepted Answer

Hello.

To connect to RDS from App Runner, App Runner must be connected to the VPC.
In other words, to connect to S3 or SSM Parameter Store from App Runner, you need to add a route to the NAT Gateway to the route table of the subnet to which App Runner is connected, or create a VPC endpoint.

https://aws.amazon.com/jp/blogs/aws/new-for-app-runner-vpc-support/

When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway. You can also set up VPC endpoints to connect to AWS APIs such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB to avoid NAT traffic.

profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago
  • edX
    6 months ago

    This was, in fact, the answer!

    I was skeptical at first, because as I mention above, I already had a working RDS connection.

    But it was explained to me (I still don't really understand) that when using a plain text RDS password, it was using an internal connection to RDS. But when I switched to using SSM, it used the public internet (???).

    Anyway...

    AWS Support talked me through it. I needed to add some private subnets, a new routing table, a NAT gateway, tie all those things together, create a new App Runner VPC connector that used those subnets and then... it worked!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content