Create Service role for AWS AppRunner

Question

I am currently running a Next.js application on AWS AppRunner. Initially, when creating the service, I unintentionally left the Instance role in the Security section empty, resulting in AWS automatically creating a role for me. However, I now require AppRunner to read a parameter from AWS Parameter Store, necessitating the addition of the necessary permissions. I attempted to modify the existing service role, but it appears to be locked. As a solution, I tried creating a new role with the same managed policy and added the required parameter store permissions on top of it.

The first issue I encountered was that AppRunner was not available as a service option when creating a service role. As a workaround, I selected Lambda temporarily, with the intention of modifying the trust relationship later.

The second problem arose when I couldn't find the AppRunnerServiceRolePolicy among the available managed roles.

To address this, I manually copied the permissions from the generated role and added the necessary parameter store permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "events:PutTargets",
                "events:DeleteRule",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "ssm:GetParameters",
                "logs:PutRetentionPolicy",
                "logs:CreateLogGroup",
                "events:DisableRule"
            ],
            "Resource": [
                "arn:aws:ssm:ap-southeast-1:xxxxx:parameter/npp-qna/*",
                "arn:aws:logs:*:*:log-group:/aws/apprunner/*",
                "arn:aws:events:*:*:rule/AWSAppRunnerManagedRule*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/apprunner/*:log-stream:*"
        }
    ]
}

Then I changed the trust advisor to apprunner using the json from generated role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "apprunner.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Despite creating the role, it still does not appear as an option for selection as the instance role in AppRunner.