Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation


Not really a question, more of a 'bug report'. Solution is provided in this post. arn:aws:iam::aws:policy/AWSAppRunnerFullAccess is missing permission to create AWSServiceRoleForAppRunnerNetworking service role. That makes it impossible to create vpc connector despite using FullAccess policy. Error message doesn't really help, as pointed by it policy is in fact attached.

Steps to reproduce:

  1. Use user or assume role with AWSAppRunnerFullAccess permissions.
  2. Run
aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups>

Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions."

Temporary solution: add additional policy with Allow iam:CreateServiceLinkedRole on resource arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner.

Long term, I believe it should be added to AWSAppRunnerFullAccess.

Accepted Answer

answered 2 years ago

answered 4 months ago

