AccessRole:
  Metadata:
    'aws:copilot:description': 'An IAM Role {{- if .PermissionsBoundary}} with permissions boundary {{.PermissionsBoundary}} {{- end}} for App Runner to use on your behalf to pull your image from ECR'
  Type: AWS::IAM::Role
  Condition: NeedsAccessRole
  Properties:
    {{- if .PermissionsBoundary}}
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}'
    {{- end}}
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - build.apprunner.amazonaws.com
          Action: sts:AssumeRole

    ManagedPolicyArns:
      - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess