AWS App Runner - 承担实例角色时出错

Question

AWS App Runner - 承担实例角色时出错

Eva*_*tti 3 amazon-web-services amazon-iam terraform terraform-provider-aws amazon-app-runner

运行我的 TF 脚本来创建 AWS App Runner 服务时，我收到此错误：

InvalidRequestException: Error in assuming instance role arn:aws:iam::000000000000:role/MyAppRunnerServiceRole

Run Code Online (Sandbox Code Playgroud)

我使用AppRunnerECRAccessRole作为参考创建了角色策略信任，它是由控制台自动生成的，但是使用它或我自己的下面我遇到了同样的问题。

Here's my TF code:

### IAM ###

resource "aws_iam_role" "app_runner" {
  name = "MyAppRunnerServiceRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "build.apprunner.amazonaws.com"
        }
      },
    ]
  })
}

resource "aws_iam_role_policy_attachment" "app_runner" {
  role       = aws_iam_role.app_runner.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
}

### App Runner ###

resource "aws_apprunner_service" "main" {
  service_name = "sandbox-service"

  source_configuration {
    image_repository {
      image_configuration {
        port = "5000"
      }
      image_identifier      = "${aws_ecr_repository.main.repository_url}:latest"
      image_repository_type = "ECR"
    }
  }

  instance_configuration {
    instance_role_arn = aws_iam_role.app_runner.arn
  }

}

Run Code Online (Sandbox Code Playgroud)

This is the AppRunnerECRAccessRole which is auto-generated by the Console when creating a new App Runner service. I would assume this same configuration would work, but it isn't.

Answer 1

Mar*_*o E 8

您的代码中似乎混淆了访问角色和实例角色。根据AWS文档[1]，您需要将信任策略更改为：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "tasks.apprunner.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Run Code Online (Sandbox Code Playgroud)

权限策略可能应该保持不变，但为了答案的完整性，它应该是这样的：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:GetAuthorizationToken"
      ],
      "Resource": "*"
    }
  ]
}

Run Code Online (Sandbox Code Playgroud)

当然，您可以限制除ecr:GetAuthorizationTokenECR 存储库之外的所有内容。必须ecr:GetAuthroziationToken设置为"Resource": "*"。

更新：在服务的源配置部分中正确放置访问角色"build.apprunner.amazonaws.com"

resource "aws_apprunner_service" "example" {
  source_configuration {
    authentication_configuration {
      access_role_arn = aws_iam_role.access_role.arn
    }
  }
}

Run Code Online (Sandbox Code Playgroud)

[1] https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles-service.instance

归档时间：	3 年，2 月前
查看次数：	1963 次
最近记录：	3 年，2 月前