App Runner IAM Role

[00:00:00]
>> Erik Reinert: Awesome, so our policy has been created. Now we need to create one more thing, which is a role. So Amazon and how its management works is basically, you have policies, policies are attached to roles, and then users use roles, right? And so that's kind of what we are recreating here, we're basically creating a policy.

[00:00:20]
We're creating the role, but we don't have to create the user because Amazon's the user in this case. So we only really have to tell Amazon, hey, here's what you're allowed access to. And then here's the role that we want you to be able to use. And so what we're gonna do is after we create a policy, we're then gonna go to Roles.

[00:00:38]
We're gonna click Create Role. I'm going to click Custom Trust Policy because unfortunately, I'm sorry, there isn't App Runner in this list. I don't know why App Runner is not in this list, but it's not. And so we have to create a custom trust policy and copy a few more lines of code.

[00:00:58]
And so what I'm gonna do is I'm gonna paste this in, and then here I'll give you the second thing you wanna use. So this at the top is for the policy, and then this is for the role. And so basically what we're doing is we're telling Amazon how this role can work with Amazon Services.

[00:01:21]
We're basically saying, hey, this role can assume role in the tasks. And so you need this so that App Runner can use its own custom role. Okay, so I'm gonna click next. It's gonna say, well, hey, do you have any policies that you wanna attach? Yes, I do.

[00:01:39]
I wanna attach the policy that I just created. So I type in the search bar FEM. You'll see my FEM FD service. And so now you can see how we're attaching the permissions to the role, right? Then we click next, and then we're gonna do FEM FD service as the role name.

[00:01:57]
Again, our trust policy is basically saying, hey, anything that this role uses on tasks.apprunner.amazonaws.com, I can use. And then the policy says, okay, these are the actual things that I'm allowed to request through SSM when I'm assumed as that role all good. Then we click Create Role. There may be a little confusion where you might look at this and go, we just created a policy.

[00:02:29]
Why are we creating another policy? Amazon, again, is really confusing and I am especially is very confusing. Effectively what you're doing with a roles that's called what's called an assume policy, which tells Amazon where you can use this role and what services on like a high level of like domain, what you can use.

[00:02:59]
It's just like granting access to the thing, right? But that doesn't mean that you can use the things inside of the thing that you're accessing, right? That's what a policy does. So a policy says these are the things inside of that big thing that you're trying to access, this is the granularity control.

[00:03:16]
But if you wanna even use the thing, you have to tell me what the role is allowed to use. So it's a combination of the two. It's what a role can access from a service level and then what inside of that service can it use? So they get glued together and then that's how it creates its permission sets and stuff.

[00:03:37]
So, yeah, one is an assume policy and the other one is just a normal policy. And assuming means like, I want to use this thing on Amazon, I'm assuming a role to use that.