Changing the ECR Access Role in AppRunner Service lead to the update failure

[Gurpr33tS1ngh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Changing the ECR Access Role after the creation of the AWS AppRunner Service lead to update failure and takes about 40 minutes.

Event Logs

06-29-2022 08:32:02 AM [AppRunner] Service status is set to RUNNING.
06-29-2022 08:32:02 AM [AppRunner] Service update failed. For details, see service logs.
06-29-2022 07:52:20 AM [AppRunner] Service status is set to OPERATION_IN_PROGRESS.
06-29-2022 07:52:20 AM [AppRunner] Service update started.
06-29-2022 07:50:58 AM [AppRunner] Service status is set to RUNNING.
06-29-2022 07:50:57 AM [AppRunner] Service creation completed successfully.
06-29-2022 07:50:56 AM [AppRunner] Successfully routed incoming traffic to application.
06-29-2022 07:49:51 AM [AppRunner] Health check is successful. Routing traffic to application.
06-29-2022 07:48:29 AM [AppRunner] Performing health check on port '80'.
06-29-2022 07:48:19 AM [AppRunner] Provisioning instances and deploying image.
06-29-2022 07:48:08 AM [AppRunner] Successfully pulled image from ECR.
06-29-2022 07:45:38 AM [AppRunner] Service status is set to OPERATION_IN_PROGRESS.
06-29-2022 07:45:38 AM [AppRunner] Service creation started.

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[hariohmprasath]

Hi @Gurpr33tS1ngh, Thanks for reporting the issue, are the list of permissions assigned to both the roles is identical/same. Since you are using a ECR, the role passed in should have the required permissions to access the target ECR repository. Can you please share some insights around this, so we can look into this issue. Also, can you please share the ARN of the App Runner service? Thanks.

[rschick]

@hariohmprasath you can reproduce this easily by creating a service, then changing the ECR access role to a duplicate of the original role with a different name but the exact same permissions.

[Gurpr33tS1ngh]

@hariohmprasath The custom role that I created for testing was identical with the default role provide by the service. If you are not able to replicate it, I'll be more than happy to share the service details.

[hariohmprasath]

@hariohmprasath The custom role that I created for testing was identical with the default role provide by the service. If you are not able to replicate it, I'll be more than happy to share the service details.

Thanks @Gurpr33tS1ngh. Can you also share the service ARN, would be helpful to look into historical data as well.

[ckdake]

I'm experiencing this as well, attempting to change from one custom role to another custom role for access.

[hariohmprasath]

Hi @ckdake , @rschick & @Gurpr33tS1ngh, App Runner team has fixed this issue and you can give it a try whenever you have some time. Have a good weekend. Thanks

[plundra]

This exact issue still exists, or re-occurred. Verified just now in at least eu-central-1.

Either from Console or via API; changing access_role to a different but identical fails. But creating from scratch with either is fine.

[myz540]

+1, this is still an issue and I am experiencing it as well