Add AWS App Runner service role and secure credentials setup documentation

hk-dev13 · hk-dev13 · commit d163e93a7326 · 2025-08-20T03:02:40.000+07:00
diff --git a/APPRUNNER_SERVICE_SETUP.md b/APPRUNNER_SERVICE_SETUP.md
@@ -0,0 +1,133 @@
+# AWS App Runner Service Role Configuration
+
+## 🔐 Service Role Requirements
+
+AWS App Runner membutuhkan IAM service role untuk mengakses ECR dan layanan AWS lainnya.
+
+### Option 1: Auto-create Service Role (Recommended)
+Saat membuat App Runner service, pilih **"Create new service role"** - AWS akan otomatis membuat role dengan permissions yang tepat.
+
+### Option 2: Manual Service Role Creation
+
+#### 1. Create IAM Role
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "build.apprunner.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
+
+#### 2. Attach Policy
+Role name: `AppRunnerECRAccessRole`
+
+**AWS Managed Policy:**
+- `AWSAppRunnerServicePolicyForECRAccess`
+
+**Or Custom Policy:**
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:DescribeRepositories",
+        "ecr:DescribeImages"
+      ],
+      "Resource": "arn:aws:ecr:ap-southeast-2:147845229604:repository/permit-api"
+    }
+  ]
+}
+```
+
+## 📋 App Runner Service Configuration
+
+### Container Configuration
+```yaml
+Source: Container registry
+Provider: Amazon ECR
+Container image URI: 147845229604.dkr.ecr.ap-southeast-2.amazonaws.com/permit-api:latest
+Deployment trigger: Manual
+```
+
+### Build Configuration
+```yaml
+Service role: AppRunnerECRAccessRole (or auto-created)
+```
+
+### Service Configuration
+```yaml
+Service name: permit-api-service
+Virtual CPU: 1 vCPU
+Virtual memory: 2 GB
+Port: 8000
+Environment variables:
+  FLASK_ENV: production
+  FLASK_DEBUG: 0
+  PORT: 8000
+  API_KEYS: demo_basic_key:DemoBasic:basic,demo_premium_key:DemoPremium:premium
+  MASTER_API_KEY: demo_master_key_12345
+  LOG_LEVEL: INFO
+```
+
+### Auto-scaling Configuration
+```yaml
+Minimum size: 1
+Maximum size: 3
+Max concurrency: 100 per instance
+```
+
+### Health Check Configuration
+```yaml
+Health check path: /health
+Health check interval: 20 seconds
+Health check timeout: 5 seconds
+Healthy threshold: 1
+Unhealthy threshold: 5
+```
+
+## 🚀 Step-by-Step Creation
+
+1. **AWS App Runner Console**: https://ap-southeast-2.console.aws.amazon.com/apprunner/home
+2. **Create service** → Container registry
+3. **ECR Image**: `147845229604.dkr.ecr.ap-southeast-2.amazonaws.com/permit-api:latest`
+4. **Service role**: Choose "Create new service role" or select existing `AppRunnerECRAccessRole`
+5. **Configure** service settings as above
+6. **Review and create**
+
+## ✅ Verification Steps
+
+After deployment:
+1. **Check service status**: Should show "Running"
+2. **Test health endpoint**: `https://your-app-url.awsapprunner.com/health`
+3. **Test API with key**:
+   ```bash
+   curl -H "Authorization: Bearer demo_basic_key" \
+     "https://your-app-url.awsapprunner.com/global/emissions?limit=5"
+   ```
+
+## 🔧 Troubleshooting
+
+**Common Issues:**
+- **Service role permissions**: Ensure ECR access is granted
+- **Container port**: Must match Dockerfile EXPOSE 8000
+- **Health check**: Verify `/health` endpoint responds
+- **Environment variables**: Check all required vars are set
diff --git a/SECURE_AWS_SETUP.md b/SECURE_AWS_SETUP.md
@@ -0,0 +1,82 @@
+# Secure AWS Credentials Setup
+
+## 🔐 Secure Method to Configure AWS CLI
+
+### Option 1: Environment Variables (Recommended)
+Create a `.env` file with your credentials:
+
+```powershell
+# Create .env file
+echo 'AWS_ACCESS_KEY_ID=your_new_access_key_here' > .env.aws
+echo 'AWS_SECRET_ACCESS_KEY=your_new_secret_key_here' >> .env.aws
+echo 'AWS_DEFAULT_REGION=ap-southeast-2' >> .env.aws
+```
+
+Then load them:
+```powershell
+# Load environment variables
+Get-Content .env.aws | ForEach {
+    $parts = $_.Split('=')
+    [System.Environment]::SetEnvironmentVariable($parts[0], $parts[1], "User")
+}
+```
+
+### Option 2: Manual Config File Edit
+Edit AWS config files directly:
+
+**Windows locations:**
+- `%USERPROFILE%\.aws\credentials`
+- `%USERPROFILE%\.aws\config`
+
+**Credentials file content:**
+```ini
+[default]
+aws_access_key_id = YOUR_NEW_ACCESS_KEY
+aws_secret_access_key = YOUR_NEW_SECRET_KEY
+```
+
+**Config file content:**
+```ini
+[default]
+region = ap-southeast-2
+output = json
+```
+
+### Option 3: Use AWS CLI with input redirection
+```powershell
+# Create temporary input file
+@'
+YOUR_NEW_ACCESS_KEY
+YOUR_NEW_SECRET_KEY
+ap-southeast-2
+json
+'@ | .\.venv\Scripts\python.exe -m awscli configure
+```
+
+## 🎯 Next Steps After Setup
+
+1. **Test credentials:**
+   ```powershell
+   .\.venv\Scripts\python.exe -m awscli sts get-caller-identity
+   ```
+
+2. **Test App Runner access:**
+   ```powershell
+   .\.venv\Scripts\python.exe -m awscli apprunner list-services --region ap-southeast-2
+   ```
+
+3. **Continue with App Runner service creation**
+
+## 🚨 Security Best Practices
+
+1. **Never paste credentials** in chat/terminal logs
+2. **Use temporary credentials** when possible
+3. **Rotate keys regularly**
+4. **Delete unused access keys** immediately
+5. **Use least privilege policies**
+
+## 🔄 For GitHub Actions
+
+Make sure to update GitHub Secrets with the new credentials:
+- Repository Settings → Secrets and Variables → Actions
+- Update `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
diff --git a/TROUBLESHOOT_APPRUNNER.md b/TROUBLESHOOT_APPRUNNER.md
@@ -0,0 +1,54 @@
+# App Runner Minimal Configuration (Bypass Auto-scaling Issue)
+
+## 🚀 Quick Service Creation
+
+### Skip Auto-scaling Configuration
+1. **Cancel** the auto-scaling dialog
+2. Use **default scaling settings**:
+   - Min instances: 1
+   - Max instances: 25
+   - Concurrency: 100
+
+### Required Configuration Only
+```yaml
+Service name: permit-api-service
+ECR Image URI: 147845229604.dkr.ecr.ap-southeast-2.amazonaws.com/permit-api:latest
+Port: 8000
+CPU: 1 vCPU
+Memory: 2 GB
+
+Environment Variables:
+  FLASK_ENV: production
+  PORT: 8000
+  API_KEYS: demo_basic_key:DemoBasic:basic
+  MASTER_API_KEY: demo_master_key_12345
+```
+
+### Health Check (Optional)
+```yaml
+Path: /health
+Interval: 20s
+Timeout: 5s
+```
+
+## 🔧 Troubleshooting Account Issues
+
+### Check AWS Account
+1. **Billing Console**: Ensure payment method is active
+2. **Region**: Switch to `us-east-1` if `ap-southeast-2` has issues
+3. **Account Status**: Check if account is fully activated
+
+### Alternative Regions for App Runner
+- **US East (N. Virginia)**: `us-east-1`
+- **US West (Oregon)**: `us-west-2` 
+- **Europe (Ireland)**: `eu-west-1`
+- **Asia Pacific (Tokyo)**: `ap-northeast-1`
+
+### Command Line Check
+```powershell
+# Check if App Runner is available in your region
+.\.venv\Scripts\python.exe -m awscli apprunner list-services --region ap-southeast-2
+
+# If error, try different region
+.\.venv\Scripts\python.exe -m awscli apprunner list-services --region us-east-1
+```
