I'm trying to deploy an App Runner service with AWS CDK that is connected to a Github repo, and auto deploys the code in that repo every time a change is made to the code within it. I was looking at the AWS CDK documentation, and I used the example provided here: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apprunner.CfnService.html
In my code, I am creating an App Runner IAM role that has the permissions to query AWS secrets manager. I am then creating a wait condition to wait until the IAM role has been created, and then connect ingthe Access Role ARN of the newly created App Runner IAM role to the App Runner service that I am creating after the IAM role.
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as apprunner from 'aws-cdk-lib/aws-apprunner'
import * as iam from 'aws-cdk-lib/aws-iam';
export class CdkStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create an IAM role for App runner
const appRunnerRole = new iam.Role(this, 'AppRunnerRoleTesting', {
assumedBy: new iam.ServicePrincipal('apprunner.amazonaws.com'),
});
// Attach the AWSAppRunnerServicePolicy managed policy
appRunnerRole.attachInlinePolicy(new iam.Policy(this, 'AWSAppRunnerServicePolicy', {
statements: [new iam.PolicyStatement({
actions: [
"apprunner:DescribeService",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets",
"secretsmanager:BatchGetSecretValue"],
resources: ['*'],
})],
}));
// Output the IAM role ARNc
new cdk.CfnOutput(this, 'AppRunnerRoleArn', {
value: appRunnerRole.roleArn,
});
// Create a Wait Condition Handle to signal the completion of IAM role creation
const waitConditionHandle = new cdk.CfnWaitConditionHandle(this, 'WaitConditionHandle');
// Create a Wait Condition to wait for IAM role creation completion
const waitCondition = new cdk.CfnWaitCondition(this, 'WaitCondition', {
count: 0,
handle: waitConditionHandle.ref,
timeout: '120', // Adjust as needed
});
// Signal the Wait Condition when the IAM role creation is complete
appRunnerRole.node.addDependency(waitCondition);
// Create the App Runner service
const cfnService = new apprunner.CfnService(this, 'MyCfnService', {
sourceConfiguration: {
authenticationConfiguration: {
accessRoleArn: appRunnerRole.roleArn,
},
autoDeploymentsEnabled: true,
codeRepository: {
repositoryUrl: 'https://github.com/mygitrepo',
sourceCodeVersion: {
type: 'BRANCH',
value: 'main',
},
// the properties below are optional
codeConfiguration: {
configurationSource: 'REPOSITORY',
// the properties below are optional
codeConfigurationValues: {
runtime: 'NODEJS_16',
// the properties below are optional
buildCommand: 'npm install',
port: 'port',
runtimeEnvironmentSecrets: [{
name: 'name',
value: 'value',
}],
runtimeEnvironmentVariables: [{
name: 'name',
value: 'value',
}],
startCommand: 'node app.js',
},
},
},
},
// the properties below are optional
instanceConfiguration: {
cpu: '256',
instanceRoleArn: appRunnerRole.roleArn,
memory: '512',
},
networkConfiguration: {
ingressConfiguration: {
isPubliclyAccessible: true,
},
ipAddressType: 'IPV4',
},
serviceName: 'serviceName',
tags: [{
key: 'key',
value: 'value',
}],
});
cfnService.node.addDependency(appRunnerRole);
}
}
Note that I've redacted the Github repo for the "repositoryUrl" field for the App Runner service. But when I try to run this via "cdk deploy", I keep getting this error:
Do you wish to deploy these changes (y/n)? y
CdkStack: deploying... [1/1]
CdkStack: creating CloudFormation changeset...
8:51:02 AM | CREATE_FAILED | AWS::AppRunner::Service | MyCfnService
Resource handler returned message: "Error in assuming access role arn:aws:iam::<REDACTED>:role/CdkStack-AppRunnerRoleTestingEE644DF4-aM6ZIsSrivEy (Service: AppRunner, Status Code: 400, Request ID: <REDACTED>)" (RequestToken: <REDACTED>, HandlerErrorCode: InvalidRequest)
Is there any workaround for this error? Or was there a better way to create an AWS App Runner service using AWS CDK?
Thanks in advance!
Hi Vaikiri,
Thanks for reaching out.
I made the changes to the code, but I'm still getting this error. I will go ahead and submit a support case with the CDK team.