fix(apprunner): auto deployment fails after new container image pushe…

…d due to lack of a permission (#30630) ### Issue # (if applicable) Closes #26640 ### Reason for this change According to the [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles), required permissions for an App Runner's AccessRole to access images in ECR repository are the followings: 1. "ecr:GetDownloadUrlForLayer", 2. "ecr:BatchCheckLayerAvailability", 3. "ecr:BatchGetImage", 4. "ecr:DescribeImages", 5. "ecr:GetAuthorizationToken" No.1~3 are granted by the [grantPull](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ecr/lib/repository.ts#L385) method of `ecr.Repository`. https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303 Permission for No.5 is granted by the following. **Note** : It is correct that the resources here is set to `*`(Ref: [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles)) > If you create your own custom policy for your access role, be sure to specify "Resource": "*" for the ecr:GetAuthorizationToken action. Tokens can be used to access any Amazon ECR registry that you have access to. https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368 At the moment, No.4 permission is missing. So we need to add. ### Description of changes Add a `ecr:DescribeImages` permisison to the AccessRole. ### Description of how you validated changes Update a unit test and a integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jun 25, 2024 · cce10b1 · cce10b1
1 parent 326580a
commit cce10b1
Show file tree

Hide file tree

Showing 9 changed files with 278 additions and 104 deletions.
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
@@ -1311,9 +1311,11 @@ export class Service extends cdk.Resource implements iam.IGrantable {
       } : undefined,
     });
 
-    // grant required privileges for the role
+    // grant required privileges for the role to access an image in Amazon ECR
+    // See https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles
     if (this.source.ecrRepository && this.accessRole) {
       this.source.ecrRepository.grantPull(this.accessRole);
+      this.source.ecrRepository.grant(this.accessRole, 'ecr:DescribeImages');
     }
 
     this.serviceArn = resource.attrServiceArn;

diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/cdk.out
diff --git a/...ws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.assets.json b/...ws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.assets.json
diff --git a/...-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json b/...-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json
@@ -1,5 +1,22 @@
 {
  "Resources": {
+  "Service3InstanceRoleD40BEE82": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "Service3AccessRole3ACBAAA0": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -31,6 +48,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -72,6 +90,19 @@
   "Service342D067F2": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service3InstanceRoleD40BEE82",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -91,19 +122,23 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service3InstanceRoleD40BEE82",
-          "Arn"
-        ]
+    }
+   }
+  },
+  "Service2InstanceRole3F57F2AA": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
       }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
+     ],
+     "Version": "2012-10-17"
     }
    }
   },
@@ -138,6 +173,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -179,6 +215,19 @@
   "Service2AB4D14D8": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service2InstanceRole3F57F2AA",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -217,56 +266,9 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service2InstanceRole3F57F2AA",
-          "Arn"
-        ]
-      }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
-    }
-   }
-  },
-  "Service3InstanceRoleD40BEE82": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
-    }
-   },
-   "Service2InstanceRole3F57F2AA": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
     }
    }
+  }
  },
  "Outputs": {
   "URL3": {

diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ.json
diff --git a/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/manifest.json