Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(apprunner): auto deployment fails after new container image pushe…
…d due to lack of a permission (#30630) ### Issue # (if applicable) Closes #26640 ### Reason for this change According to the [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles), required permissions for an App Runner's AccessRole to access images in ECR repository are the followings: 1. "ecr:GetDownloadUrlForLayer", 2. "ecr:BatchCheckLayerAvailability", 3. "ecr:BatchGetImage", 4. "ecr:DescribeImages", 5. "ecr:GetAuthorizationToken" No.1~3 are granted by the [grantPull](https:/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ecr/lib/repository.ts#L385) method of `ecr.Repository`. https:/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303 Permission for No.5 is granted by the following. **Note** : It is correct that the resources here is set to `*`(Ref: [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles)) > If you create your own custom policy for your access role, be sure to specify "Resource": "*" for the ecr:GetAuthorizationToken action. Tokens can be used to access any Amazon ECR registry that you have access to. https:/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368 At the moment, No.4 permission is missing. So we need to add. ### Description of changes Add a `ecr:DescribeImages` permisison to the AccessRole. ### Description of how you validated changes Update a unit test and a integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https:/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https:/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information