From 540c12dadaabaf389b2ba157be4e4bcbe520ea07 Mon Sep 17 00:00:00 2001
From: mingran peng <penghongwei0815@sina.com>
Date: Tue, 27 Feb 2024 10:52:21 -0800
Subject: [PATCH] fix: unable to trigger ECR image auto deployment

---
 packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
index 9564bbae18cf3..96b072d7ffba5 100644
--- a/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
+++ b/packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
@@ -1318,7 +1318,13 @@ export class Service extends cdk.Resource implements iam.IGrantable {
       assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com'),
     });
     accessRole.addToPrincipalPolicy(new iam.PolicyStatement({
-      actions: ['ecr:GetAuthorizationToken'],
+      actions: [        
+        'ecr:BatchCheckLayerAvailability',
+        'ecr:BatchGetImage',
+        'ecr:DescribeImages',
+        'ecr:GetAuthorizationToken',
+        'ecr:GetDownloadUrlForLayer',
+      ],
       resources: ['*'],
     }));
     this.accessRole = accessRole;