aws-apprunner-alpha: accessRole prop doesn't work

[garysassano]

Describe the bug

The accessRole prop in the Service L2 construct doesn't work. If you try to set it, it gets ignored.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I expected the App Runner service to be created with the configured access role, like for this service I manually created from AWS Console:

Current Behavior

The App Runner service gets deployed without the configured access role:

Reproduction Steps

Deploy the following Stack:

const apprunnerInstanceRole = new Role(this, "ApprunnerInstanceRole", {
  assumedBy: new ServicePrincipal("tasks.apprunner.amazonaws.com"),
});

const apprunnerAccessRole = new Role(this, "ApprunnerAccessRole", {
  assumedBy: new ServicePrincipal("build.apprunner.amazonaws.com"),
  managedPolicies: [
    {
      managedPolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
    },
  ],
});

new Service(this, "ApacheService", {
  accessRole: apprunnerAccessRole,
  instanceRole: apprunnerInstanceRole,
  source: Source.fromEcrPublic({
    imageIdentifier: "public.ecr.aws/docker/library/httpd:bookworm",
    imageConfiguration: {
      port: 80,
    },
  }),
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.175.1

Framework Version

No response

Node.js Version

22.12.0

OS

Ubuntu 24.04.1

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @garysassano , thanks for reaching out. I am able to reproduce the scenario with the given code -

const apprunnerInstanceRole = new Role(this, "ApprunnerInstanceRole", {
      assumedBy: new ServicePrincipal("tasks.apprunner.amazonaws.com"),
    });
    
    const apprunnerAccessRole = new Role(this, "ApprunnerAccessRole", {
      assumedBy: new ServicePrincipal("build.apprunner.amazonaws.com"),
      managedPolicies: [
        {
          managedPolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
        },
      ],
    });
    
    const servicenew = new apprunner.Service(this, "ApacheService", {
      accessRole: apprunnerAccessRole,
      instanceRole: apprunnerInstanceRole,
      source: apprunner.Source.fromEcrPublic({
        imageIdentifier: "public.ecr.aws/docker/library/httpd:bookworm",
        imageConfiguration: {
          port: 80,
        },
      }),
    });
  }

Here is the output in console when deployed -

Looks like the issue exists here -

aws-cdk/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

Line 1290 in 899965d

this.props.accessRole ?? this.generateDefaultRole() : undefined;

https://github.com/aws/aws-cdk/blob/899965d6147829b8f8ac52ac8c1350de50d7b6d0/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1288C1-L1290C71

if you leave it undefined, it will create the default role.

Marking it as P3 as default role creation exists but code should also take passed value into consideration.

Contribution from the community are also welcome for resolution of this bug.

[mazyu36]

Since an access role is only set when ECR is private, this seems to be the intended behavior.

aws-cdk/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

Line 699 in 899965d

* It's required for ECR image repositories (but not for ECR Public repositories).

aws-cdk/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

Line 1289 in 899965d

this.accessRole = (this.source.imageRepository?.imageRepositoryType == ImageRepositoryType.ECR) ?

The docs states the following:

The access role is a role that App Runner uses for accessing images in Amazon Elastic Container Registry (Amazon ECR) in your account. It's required to access an image in Amazon ECR, and isn't required with Amazon ECR Public.

Do we need to set an access role even when using ECR Public?

[garysassano]

@mazyu36 My initial implementation actually used an ECR private registry configured with a pull-through cache for Docker Hub. The outcome was identical. I created a minimal reproducible code block using the Apache image solely to illustrate the issue.

[garysassano]

To clarify, the default access role cannot be used because you need to create an ECR registry permission that enables the IAM role used by App Runner to pull images via the pull-through cache. Here's an example implementation:

apprunnerInstanceRole.addToPrincipalPolicy(
  new PolicyStatement({
    actions: ["ecr:*"],
    resources: [
      `arn:aws:ecr:${this.region}:${this.account}:repository/docker-hub/*`,
    ],
  }),
);

const registryPolicy = new CfnRegistryPolicy(this, "EcrRegistryPolicy", {
  policyText: {
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "AllowPullThroughCache",
        Effect: "Allow",
        Principal: {
          AWS: apprunnerAccessRole.roleArn,
        },
        Action: ["ecr:*"],
        Resource:
          "arn:aws:ecr:${this.region}:${this.account}:repository/docker-hub/",
      },
    ],
  },
});

Unfortunately, there's no built-in method to modify the access role policy directly. Currently, you only have the option to use Service.addToRolePolicy() to modify the instance role.

It would be much better to have more idiomatic and self-explanatory methods like Service.addToAccessRolePolicy() and Service.addToInstanceRolePolicy(). These would provide clearer semantics and finer-grained control.