I’m getting this error when creating an AWS App Runner service:
InvalidRequestException: Error in assuming instance role arn:aws:iam::000000000000:role/SandboxAppRunnerServiceRole
This is my TF code:
provider "aws" {
region = "us-east-1"
}
### ECR ###
resource "aws_ecr_repository" "main" {
name = "MyRepository"
image_tag_mutability = "MUTABLE"
force_delete = true
image_scanning_configuration {
scan_on_push = true
}
}
### IAM Role ###
resource "aws_iam_role" "app_runner" {
name = "SandboxAppRunnerServiceRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "build.apprunner.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "app_runner" {
role = aws_iam_role.app_runner.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
}
### App Runner ###
# Before running this I'm manually uploading the image to the repository
resource "aws_apprunner_service" "main" {
service_name = "sandbox-service"
source_configuration {
image_repository {
image_configuration {
port = "5000"
}
image_identifier = "${aws_ecr_repository.main.repository_url}:latest"
image_repository_type = "ECR"
}
}
instance_configuration {
instance_role_arn = aws_iam_role.app_runner.arn
}
}