Closed acusti closed 2 years ago
i just tried commenting out blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
, and now i get an error due to specifying serverAccessLogsBucket
when creating a bucket, e.g.:
const destination = new s3.Bucket(this, 'Destination', {
serverAccessLogsBucket: logsBucket,
serverAccessLogsPrefix: 'destination-bucket-logs/',
encryption: s3.BucketEncryption.S3_MANAGED,
publicReadAccess: false,
// blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
cors: [
{
maxAge: 3000,
allowedOrigins: ['*'],
allowedHeaders: ['*'],
allowedMethods: [s3.HttpMethods.GET],
},
],
});
the error logs:
CREATE_FAILED Destination123AB456 AWS::S3::Bucket Thu Mar 24 2022 17:00:00 GMT-0700 (Pacific Daylight Time) API: s3:PutBucketLogging Access Denied
i also tried removing the SnsTopic
Cfn.Output, but i still get the amplifyadmin is not authorized to perform: SNS:GetTopicAttributes
error when running amplify push
.
Hello @acusti, Thank you for reaching out. Apologies for the delay in a response. Could you please check your current IAM polices to see they are similar to the IAM permissions outlined the following document. https://docs.amplify.aws/cli/reference/iam/
Additonally, from the information provided the application currently requires 3 permissions added as a inline policy item to your CLI IAM user. As when using custom the AdministratorAccess-Amplify managed policy may not have all the permissions required to add the custom resource.
Could you please let me know if your project is using a profile based access. If it is not using a profile, I would suggest using a profile based access and modifying your IAM user with the required permissions.
@ykethan thanks for the reply! i dug into this further based on your questions and discovered that the IAM user that i thought was being used by the amplify CLI actually hasn’t been active for over 6 months. that led me to use the amplify managed policy (arn:aws:iam::aws:policy/AdministratorAccess-Amplify
) Policy Usage tab to see what IAM entities use that policy, and i was then able to figure out which role is being used by the CLI (it’s named like <AWS region>_AbcdE1234_Full-access
). when i attached my custom policy to that role and granted it a bunch of mediaconvert
permissions plus the missing S3 privileges, the custom-policies.json
started working, though there were still a bunch of gotchas. for example, when i tried to grant iam:PassRole
for a wildcard resource ARN, it didn’t work. i needed to included my account number in it to get it to be translated to a permission that i could then see when looking at the lambda in the console.
hello @acusti, glad to hear to hear your are back up and running. I am interested to see what the current IAM polices are, Could you please provide me an example of your IAM policies attached. As i noticed that the full-access role is a role created by amplify studio.
my Full-access
role by default has the AdministratorAccess-Amplify
policy, which is an AWS managed policy, and a Full-access-Policy
policy, which is of type Customer inline
.
AdministratorAccess-Amplify
policy:Full-access-Policy
:in my application, i have added a video processing pipeline based on https://github.com/aws-solutions/video-on-demand-on-aws-foundations. the source S3 bucket is the one i added to amplify via amplify add storage
, while the destination S3 bucket is created within a custom CDK stack (added via amplify add custom
).
Full-access
role that contains the following permissions:hey, thank you for the information. This would make a great clarification on the documentation. where we will need to add custom polices for customer managed resources.
The documentation has been updated clarifying the permissions required for custom resources. https://docs.amplify.aws/cli/custom/cdk/
closing the issue for now, please do reach out to us again.
Before opening, please confirm:
How did you install the Amplify CLI?
yarn
If applicable, what version of Node.js are you using?
v17.3.0
Amplify CLI Version
7.6.26
What operating system are you using?
Mac
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Amplify Categories
custom
Amplify Commands
push
Describe the bug
i am trying to add a custom CDK stack to my amplify app. in the
cdk-stack.ts
file, i am creating a few different S3 buckets. here’s an example of one of those:however, with that setup, when i try to deploy the stack using
amplify push
, i see this error in the logs:it looks like this error is due to initializing the bucket with the
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
option, and it seems like the fix is just to add that action to the amplify IAM policy. the docs reference for the IAM policy states:however, i’m not sure how i’m supposed to update that policy. when i look in IAM in the console,
AdministratorAccess-Amplify
policy is read-only because it is an AWS Managed Policy. is there some place in the docs that covers this? should this permission be a part of the main amplify IAM policy? i added a new policy that included that action and attached itamplify-user
alongside theAdministratorAccess-Amplify
policy, but i still get the same error on runningamplify push
.an aside: the logs refer to
PutPublicAccessBlock
, the S3 Actions API Reference includes it, but IAM doesn’t recognize it; instead, it has PutAccessPointPublicAccessBlock, PutAccountPublicAccessBlock, and PutBucketPublicAccessBlock. i’m guessing that PutBucketPublicAccessBlock is the action i need for my particular use case, but i’m not sure about that. i added all 3 permissions to the policy i created.i ran into two other access denied permissions issues while trying to deploy the custom stack. one is with creating a CloudFront instance; when i use
insertHttpSecurityHeaders: true
, i get:lastly, adapting the scaffolded code to create a SNS topic and add an email subscription to it for my purposes, i get:
the only addition i made to the default code was to output the SNS topic:
Expected behavior
i expected to be able to
amplify push
my custom CDK stack including S3 buckets, a CloudFront instance, and an SNS topic and subscription, without errors.Reproduction steps
in an existing amplify app, run
amplify add custom
give it a name and choose CDK
add/uncomment
import * as s3 from '@aws-cdk/aws-s3';
in cdk-stack.ts and add to the constructor:run
amplify push
my code for creating the SNS topic and subscribing to it (where EMAIL ADDRESS HERE is an actual email address):
and for creating the CloudFront distribution connected to an S3 bucket (resulting in access denied due to missing
cloudfront:CreateFunction
permission):GraphQL schema(s)
Log output
Additional information
No response