access S3 from dockerised App Runner dotnet app


Hi there, I have been struggling with this for some time and the docs are not particularly helpful..

I have a simple .net web api that periodically calls S3. I have it all running fine locally but when I deploy it to App runner (container mode) I get

Unable to get IAM security credentials from EC2 Instance Metadata Service.

Whenever I try to access S3.

In progam.cs I set up aws services as follows


and I have a default profile set in appsettings.config

"AWS": {
    "Profile": "default",
    "Region": "eu-west-1"

As mentioned earlier this all runs fine on my local machine

The apprunner has a role with the following attached

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [

Trust Relationship

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "Service": [
            "Action": "sts:AssumeRole"

I understand roles should be more locked down but atm I am trying everything to diagnose the issue

I also have a vpc created with some subnets and endpoint

Can someone point me in the right direction??
