App Runner Instance Role Problems

Question

Hello,

I have an application running in App Runner. It's all been working ok - happy with the service.

I recently wanted to use SSM parameter store to securely store the RDS database password. At the moment, it's stored in plain text as an environment variable in App Runner.

So I created my SSM parameter: I've created the parameter as a SecureString using the default KMS key for the account.

Then, I created an instance role for App Runner. Policies are:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*"
            ],
            "Resource": "*"
        }
    ]
}
```
and

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "*"
        }
    ]
}
```
and the trust entities:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "tasks.apprunner.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

And then I updated the configuration of App Runner to use this SSM parameter and the instance role.

But my application keeps failing to start... it says it can't connect to the database. I can't see anything else in the logs about SSM, but I assume that is the problem.

After spending half a day on this, I gave up and went back to securing the RDS password as plain text environment variable. Everything works again.

But now I need my application to access S3. So I again add a policy to the instance role. This time the AwsS3FullAccess role.

My application starts, but I get a timeout when I use the functionality that tries to access S3:

Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Connect to s3.ap-southeast-2.amazonaws.com:443 [blah blah] failed: Connect timed out

**So I guess I'm doing something fundamentally wrong when it comes to setting up this App Runner instance role? I cannot make it work for SSM parameters or S3. What am I missing?**

Extra info: 
* I am using the AWS console, so bonus points if you can provide any guidance in that context
* The security group for my App Runner allows all outgoing traffic

Accepted Answer

Hello.

To connect to RDS from App Runner, App Runner must be connected to the VPC.  
In other words, to connect to S3 or SSM Parameter Store from App Runner, you need to add a route to the NAT Gateway to the route table of the subnet to which App Runner is connected, or create a VPC endpoint.

https://aws.amazon.com/jp/blogs/aws/new-for-app-runner-vpc-support/  
> When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway. You can also set up VPC endpoints to connect to AWS APIs such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB to avoid NAT traffic.

App Runner Instance Role Problems

相關內容