Unable to create AppRunner instance role for AWS Secrets Manager access
I am trying to create an instance role where AppRunner can reach out to AWS Secrets Manager to retrieve a few secrets. In the "Configure Service" section of the AppRunner setup console, it says I need to copy the following policy template to an IAM role that I would create:
But when I head over to the IAM console, I try to create a AWS instance role for AppRunner, but I don't see any "use case" options for AWS AppRunner. I even tried typing in "App Runner" but still no results.
Am I missing something here? Am I instead supposed to create a "Custom Trust Policy" , and copy the policy template shown in the first screenshot?
Or was there any other way I can get AppRunner to retrieve credentials from AWS Secrets Manager?
- Newest
- Most votes
- Most comments
Hello.
In that case, select Custom Trust Policy and set the trust policy below.
https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
After that, set a policy to access the copied secret manager in the IAM policy.
Hi Riku,
Many thanks for the answer! This worked!
For anyone else that stumbles into a similar issue as I did, here are the steps I did. However, I am not sure if having the 2 permission policies I added are redundant, and I only need one. Nonetheless, AppRunner worked for me after I did these steps:
- Logged into the IAM console
- Clicked "Create role" button to create new role
- As mentioned, I put the following trust policy in the text area box:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
-
Clicked the Next button
-
I then added the SecretsManagerReadWrite permission policy, and clicked the Next button
-
Finished creating the role:
- Went back to the IAM Policy page, and clicked the role I just created which I named AppRunner-Testing:
- I then clicked the "Add permissions" button, and select the Create inline policy option
- Select Secrets Manager as the service:
- I added all access levels from the List and Read sections. I left everything else as default, and then clicked the Next button:
- I named the inline policy AppRunner-secrets-read and clicked the Create Policy button:
- I view the created role now:
The content of AppRunner-secrets-read permission policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets",
"secretsmanager:BatchGetSecretValue"
],
"Resource": "*"
}
]
}
The content of SecretsManagerReadWrite permission policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:*",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"docdb-elastic:GetCluster",
"docdb-elastic:ListClusters",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeys",
"lambda:ListFunctions",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"redshift:DescribeClusters",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:*:*:function:SecretsManager*"
},
{
"Effect": "Allow",
"Action": [
"serverlessrepo:CreateCloudFormationChangeSet",
"serverlessrepo:GetApplication"
],
"Resource": "arn:aws:serverlessrepo:*:*:applications/SecretsManager*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awsserverlessrepo-changesets*",
"arn:aws:s3:::secrets-manager-rotation-apps-*/*"
]
}
]
}
Relevant content
- asked 14 days ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thank you, Riku! I added that trust policy and added access to SecretsManager, and AppRunner is working with Secrets Manager now. Thank you again for pointing me in the right direction!