search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
88 stars 75 forks source link

Newer versions of Amplify CLI not creating the IAM policy properly for DynamoDB datasource #2750

Closed call2shadab closed 1 week ago

call2shadab commented 1 month ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

Node v20.11.1

Amplify CLI Version

Amplify v12.12.6

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

NA

Describe the bug

Amplify CLI v12.12.6 is not generating the correct IAM permissions policy in case of overrides being defined for DynamoDB datasource. This results in IAM AccessDenied Error when the DynamoDB datasource is accessed via the AppSync API. Refer to the below replication steps.

Testing with previous version of Amplify CLI (v12.10.1), the correct permissions policy is being generated for the changed name and associated with the role.

Additionally, the newer versions pops up warning about the usage of iam in @auth and requires us to change this to identityPool, however, the documentation is not updated and still suggests to use iam.

Expected behavior

The correct permissions policies should be generated and associated with the role.

Reproduction steps

  1. In Amplify Gen1 application, add the GraphQL API with IAM authorization using Amplify CLI v12.12.6.
  2. Run amplify override api.
  3. Define the following override in override.js to change the table name of the DynamoDB table as below:
resources.models["Todo"].modelDDBTable.tableName = `Todo-dev`;
  1. Push the changes and check the IAM role associated with the AppSync API under datasource section.
  2. The role would not have permissions for the changed DynamoDB table name. Role would only contain the policy named DynamoDBAccess, which has inline permissions for only the auto-generated table name and not the override one. This results in AccessDenied error.

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

No response

Before submitting, please confirm:

adamgogacz commented 1 month ago

Any idea when (version) this bug was introduced?

AnilMaktala commented 1 month ago

Hi @call2shadab, Thanks for bringing this up. Could you try rolling back to version v12.12.3 and let me know if it resolves the issue?

AnilMaktala commented 1 week ago

Hey 👋 , This issue is being closed due to inactivity. If you are still experiencing the same problem and need further assistance, please feel free to leave a comment. This will enable us to reopen the issue and provide you with the necessary support.

github-actions[bot] commented 1 week ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.