Hey Luke,
AppRunnerRDSAccessRole is the default role for app runner services, it should be
exists in every AWS account, but in case it doesn’t, a new role that will work with AppRunner can be created.
There are 2 ways to create a new role:
1. Creating a new role via AWS-CLI
2. Editing existing role to work with AppRunner service
Creating a new role via AWS-CLI:
- Create a file called trust-policy.json , and paste the next trust relationships specifies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Open your terminal in the directory where trust-policy.json is stored and use the create-role command.
aws iam create-role --role-name velo-external-db-adapter --assume-role-policy-document file://trust-policy.json
- Then you should see the new role in the roles list and in the app runner configuration screen under security - instance role list, don’t forget to attach the needed permissions.
Editing existing role to work with AppRunner service:
- Create new role, no matter to what aws service
- Then look for it in the role list and click on it
- Click on the Trust relationships tab, and click on edit trust relationship.
- Paste the next Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Click on Update Trust Policy
- Attach the needed permission (according to the docs)
That’s it, you should see the role in app runner configuration screen under the security - instance list.
Let us know if you succeeded