En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

0

Not really a question, more of a 'bug report'. Solution is provided in this post. arn:aws:iam::aws:policy/AWSAppRunnerFullAccess is missing permission to create AWSServiceRoleForAppRunnerNetworking service role. That makes it impossible to create vpc connector despite using FullAccess policy. Error message doesn't really help, as pointed by it policy is in fact attached.

Steps to reproduce:

  1. Use user or assume role with AWSAppRunnerFullAccess permissions.
  2. Run
aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups>

Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions."

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term, I believe it should be added to AWSAppRunnerFullAccess.

Sujets
Sécurité, identité et conformitéGestion et gouvernanceCalculConteneurs
Balises
Gestion des identités et des accès AWSInterface à ligne de commande AWSAWS App RunnerPolitiques IAM
Langue
English
Pszem
demandé il y a 2 ans702 vues
2 réponses
0
Réponse acceptée

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term - to be fixed by AWS :)

Pszem
répondu il y a 2 ans
0

I'm using CDK and I added the allow the statement to both cdk-qualifier-cfn-exec-role-*****-region and cdk-qualifier-deploy-role-*****-region yet it still fail. When deploying with CDK which role should contain this policy statement?

Resource handler returned message: "AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions.

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner. Long term - to be fixed by AWS :)

muhamadto
répondu il y a 3 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents