1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
I got it solved.
Thanks to the hint from Kiran_K I took a look at the events in CloudTrail and found that during creation/deployment of my service App Runner tries to assume the mentioned AppRunnerECRAccessRole role. However, that fails due to the following exception STS is not activated in this region
.
I enabled STS for my region (eu-west-1) according to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate.
That helped and now the creation/deployment works fine!
답변함 2년 전
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전
Is your private ECR repository in the same AWS account as App Runner? Are there any repository-level policies that might deny access to App Runner?
Hi,
as referred here [1] AccessRoleArn -The Amazon Resource Name (ARN) of the IAM role that grants the App Runner service access to a source repository. as explained here [2] Pulling an image from ECR Amazon ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.
please check the cloud trail logs for the API call GetAuthorizationToken and try to get more information on image pull issue from ECR. also search - BatchGetImage in cloud trail log, I hope you will find information for the next steps from there like fix the permissions issue etc. also find list of ECR Api references from [3] which will be helpful for ECR issues troubleshooting.
[1] https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html [2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html [3] https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html