1

I'm trying to configure the environment variables in my AWS App Runner service, the variables I need is a secret from the Secrets Manager. My AWS App Runner does not have access to read secrets from the Secrets Manager unless I provide an Instance Role. No roles that pre-exist or that I create is displayed in the list of options and I'm blocked from creating the service.

I tried creating a custom IAM role but documentation tells me that this is not possible. I tried creating custom workarounds using Lambda functions but those are too complicated to get set up.

Instance Role have to be provided if passing in RuntimeEnvironmentSecrets.

Reference: https://docs.aws.amazon.com/apprunner/latest/dg/using-service-linked-roles-management.html

Paulie
  • 41
  • 9
  • 1
    "unless I provide an Instance Role" "I tried creating a custom IAM role but documentation tells me that this is not possible" what documentation? What are you creating when you say "No roles that ... or that I create..." – erik258 Apr 27 '23 at 22:11
  • I updated my question with the link to the documentation. I tried creating an IAM role with a policy that provides the App Runner read access to the secrets manager. There is no option for an IAM role for the App Runner service since it is a service-linked role and can not be edited. In the App Runner configuration menu it demands an Instance Role so that the App Runner has access to the secrets manager – Paulie Apr 27 '23 at 22:17
  • 1
    you're confusing the service role for the app runner service and the (optional) instance role for your app itself. Read this: https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles "When you create your instance role, be sure to add a trust policy that declares the App Runner service principal tasks.apprunner.amazonaws.com as a trusted entity." this is probably why any roles you've created didn't show up in the list. – erik258 Apr 28 '23 at 00:01

0 Answers0