By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

App Runner not being able to read values from SSM

0

I'm trying to create an App Runner instance with Terraform and passing some aws_ssm_parameter as runtime_environment_secrets. But I'm getting this error:

05-31-2023 07:36:47 AM [AppRunner] App Runner service initialization failed as parameters can't be retrieved due to the following error - ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::[ACCOUNTNUMBER]:assumed-role/[APPRUNNERINSTANCE] is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-east-1:[ACCOUNTNUMBER]:parameter/[RESOURCEPATH] because no identity-based policy allows the ssm:GetParameters action status code: 400

My terraform configuration is similar to this:

module "module_name" {

  source = "terraform-aws-modules/app-runner/aws"

  service_name = "${local.environment}-${local.namespace}"

  auto_scaling_configuration_arn = aws_apprunner_auto_scaling_configuration_version.[autoscaling].arn

  source_configuration = {
    authentication_configuration = {
      access_role_arn = local.access_role_arn
    }
    image_repository = {
      image_identifier = "[id]"
      image_repository_type = "ECR"

      image_configuration = {
        port = [port]
        runtime_environment_variables = {
          [env vars]
        }
        runtime_environment_secrets = {
          "SECRET_ENV_VAR" = data.aws_ssm_parameter.secret_env_var.arn
        }
      }
    }
  }

  instance_configuration = {
    instance_role_arn =  local.access_role_arn
  }

   [VPC AND NETWORK CONFIG]
}

The role referenced in local.access_role_arn already has the AmazonSSMReadOnlyAccess policy attached and I tried adding a custom one that has all of "ssm:GetParametersByPath", "ssm:GetParameters", and "ssm:GetParameter".

I tried to use the role in both instance_role_arn and access_role_arn.

What am I missing? How can I get access to SSM variables from app runner?

Topics
Management & GovernanceComputeContainers
Tags
AWS Systems ManagerAWS App RunnerTerraform
Language
English
rePost-User-9777132
asked a year ago480 views
2 Answers
0

Ensure the role also has access to the KMS Key to decrypt the secure string

profile picture
EXPERT
Gary Mclean
answered a year ago
0

Hello,

I haven't used App Runner much myself but I was looking at this documentation to understand how IAM interacts with AppRunner. This is what I understand from the above documentation regarding the 2 IAM roles you have described in your question Access Role and Instance Role:

The ** access role** is a role that App Runner uses for accessing images in Amazon Elastic Container Registry (Amazon ECR) in your account.

The ** instance role** is an optional role that App Runner uses to provide permissions to AWS service actions that your service's compute instances need. You need to provide an instance role to App Runner if your application code calls AWS actions (APIs). When you create your instance role, be sure to add a trust policy that declares the App Runner service principal tasks.apprunner.amazonaws.com as a trusted entity.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

One of the example of the above policy(to access DynamoDB though) is shared in this GitHub link here. You could also look at this workshop describing how to integrate App Runner with other AWS services like DynamoDB which uses the above GitHub repository.

So in essence, please create 2 separate roles for Access and instance respectively. Since from your terraform code, it seems you are using images in ECR, you Access role will require with just AWSAppRunnerServicePolicyForECRAccess managed policy in it and then double check for your instance role if you have service principal tasks.apprunner.amazonaws.com as a trusted entity.

Please let me know how this goes and if I could be of anymore help.

Thanks, Manish

profile picture
Manish
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content