search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 819 forks source link

Permissions Error when recording events with KinesisStream provider from Analytics #11631

Open abdallahshaban557 opened 1 year ago

abdallahshaban557 commented 1 year ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

16.4

Amplify CLI Version

10.5.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

I am using the Kinesis Streams provider from the Analytics feature set - and I am getting an error when trying to use Analytics.record

{"__type":"AccessDeniedException","Message":"User: arn:aws:sts::613607431007:assumed-role/amplify-nextjsplayground-dev-205355-unauthRole/CognitoIdentityCredentials is not authorized to perform: kinesis:PutRecords on resource: arn:aws:kinesis:us-west-2:613607431007:stream/undefined because no identity-based policy allows the kinesis:PutRecords action"}

If I try updating the Project by using amplify update analytics I get an error from the CLI and I cannot proceed.

Expected behavior

Permission errors for the UnAuth role should not be shown when using the Kinesis Stream provider.

Reproduction steps

  1. Add amplify by using amplify add analytics
  2. Choose Kinesis Streams as the provider
  3. Allow Auth and UnAuth roles to access the Analytics resource
  4. Register the Kinesis pluggable into the NextJS app
  5. Try using the Analytics.record API
  6. The error shows up in the console

Project Identifier

07d8fa9a07058e596960d73808ea0ff5

Log output

``` # Put your logs below this line ```

Additional information

No response

Before submitting, please confirm:

josefaidt commented 1 year ago

Hey @abdallahshaban557 :wave: thanks for raising this! As we begin to look into this in more depth I have two follow-up questions:

From the error in the browser console, the resource ARN stands out as it ends with undefined, resource: arn:aws:kinesis:us-west-2:613607431007:stream/undefined. Is this value accurately captured in the aws-exports.js file?

If I try updating the Project by using amplify update analytics I get an error from the CLI and I cannot proceed.

What is the error you're receiving when attempting to update your analytics resource?

abdallahshaban557 commented 1 year ago

Hi @josefaidt

It seems like the value for analytics isn't captured at all in my aws-exports.js file at all. I can only see Auth information reflected in the file.

When I try to update the analytics resource I get this error

🛑 File at path: '/Users/awshaban/Main_Folder/Github/JS/nextjs-playground/amplify/backend/analytics/nextjsplaygroundKinesis/pinpoint-cloudformation-template.json' does not exist

josefaidt commented 1 year ago

Note: upon further inspection I noticed after pushing analytics I do not see an analytics-related key in the aws-exports.js file which may be the culprit.

josefaidt commented 1 year ago

It appears the endpoint is missing when the Analytics module from amplify-js attempts to make the PutRecords call with the KinesisStream client from aws-sdk image

Note: we do see the ARN is captured as an output in kinesis-cloudformation-template.json:

"Outputs": {
    "kinesisStreamArn": {
      "Value": {
        "Fn::GetAtt": [
          "KinesisStream",
          "Arn"
        ]
      }
    },
    "kinesisStreamId": {
      "Value": {
        "Ref": "KinesisStream"
      }
    },
    "kinesisStreamShardCount": {
      "Value": {
        "Ref": "kinesisStreamShardCount"
      }
    }
  }

and this is successfully captured in amplify-meta.json

"output": {
  "kinesisStreamId": "nextjsplaygroundKinesis-myenv",
  "kinesisStreamShardCount": "1",
  "kinesisStreamArn": "arn:aws:kinesis:us-east-1:814763596509:stream/nextjsplaygroundKinesis-myenv"
},

where amplify-js is missing the resource name. Marking as a bug 🙂