Apprunner: After pushing a Docker image to ECR, isn't triggered.

[watany-dev]

Describe the bug

Deployed AppRunner using AWS CDK.
The expected behavior is for AppRunner to automatically deploy upon each change to the container image in ECR.

Expected Behavior

After pushing a Docker image to ECR, the AppRunner deployment is triggered.

Current Behavior

However, even after pushing a Docker image to ECR, the AppRunner deployment isn't triggered.

Reproduction Steps

import * as apprunner from '@aws-cdk/aws-apprunner-alpha'
import { Cpu, Memory } from '@aws-cdk/aws-apprunner-alpha'
import * as cdk from 'aws-cdk-lib'
import * as iam from 'aws-cdk-lib/aws-iam'
import { Construct } from 'constructs'
import { EcrStack } from './ecr'

export class AppRunnerStack extends cdk.Stack {
constructor(
scope: Construct,
id: string,
ecrStack: EcrStack,
props?: cdk.StackProps,
) {
super(scope, id, props)

new apprunner.Service(this, 'SampleAppRunnerService', {
  serviceName: 'sample-app',
  cpu: Cpu.ONE_VCPU,
  memory: Memory.TWO_GB,
  autoDeploymentsEnabled: true,
  source: apprunner.Source.fromEcr({
    imageConfiguration: {
      port: 3000,
      startCommand: 'npm run start --workspace=app',
    },
    repository: ecrStack.repository,
    tagOrDigest: 'latest',
  }),
})

}
}

Possible Solution

Cause:

The access role for AppRunner’s service is automatically generated. However, it lacks permission for the ecr:DescribeImages action, preventing it from detecting image changes.

Necessary Permissions:

Actions required for ECR access:

• ecr:BatchCheckLayerAvailability
• ecr:GetDownloadUrlForLayer
• ecr:BatchGetImage
• ecr:GetAuthorizationToken

Actions that AppRunner needs for ECR access:

• ecr:GetDownloadUrlForLayer
• ecr:BatchCheckLayerAvailability
• ecr:BatchGetImage
• ecr:DescribeImages
• ecr:GetAuthorizationToken

Proposed Solution:

1. Add the ecr:DescribeImages action to the access role of AppRunner's service.
2. Attach the IAM policy that includes the above actions to AppRunner.
3. Make the AccessRole public to allow users to access it.

Additional Information/Context

https://zenn.dev/okaharuna/articles/bed7f41498a1b6

CDK CLI Version

2.89.0

Framework Version

No response

Node.js Version

any

OS

any

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Thanks for report.

I just know this feature today. The automatic deployment based on ECR image update is awesome!

https://docs.aws.amazon.com/apprunner/latest/dg/manage-deploy.html

[pinelibg]

It seems that ecr:DescribeImages action for the ECR repository is missing in the access role.

Reference of the required actions: https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles

As a workaround, the following fix worked for me.

(service.node.findChild('AccessRole') as Role).addToPrincipalPolicy(
  new PolicyStatement({
    actions: ['ecr:DescribeImages'],
    resources: [repository.repositoryArn],
  }),
);

[wired00]

Seeing the same behaviour, looking forward to this fix (ie, the above PR being merged).

• For now, I simply made a yarn patch-package with the changes specified here 540c12d. After yarn install > cdk deploy etc it seems to work fine.

• I'm now able to push a new image, App Runner immediately identifies the change and re-deploys. I.e. [AppRunner] Deployment with ID : ****** started. Triggering event : SERVICE_DEPLOY

• Alternatively, you could simply go into your AppRunner stack, find the IAM role (AWS::IAM::Role) open the role ie, MyAppRunnerStack-appRunnerServiceInstanceRole.... open the attached policy and change from

            "Action": [
                "ecr:GetAuthorizationToken"
            ],

to

            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],