search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.83k stars 823 forks source link

Amplify build issue when deploying Cloudformation custom resource in a delegated admin account #13801

Closed tawoyinfa closed 4 months ago

tawoyinfa commented 6 months ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.12.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

I have a cloudformation custom resource deployed using amplify cli amplify add custom which deploys a cloudtrail lake event datastore in an account. Recently, it stopped working when the solution is deployed in a delegated admin account but works when it is deployed in the management account for the organisation. The error is shown below:

2024-04-30T00:47:12.142Z [INFO]: CREATE_IN_PROGRESS myEventDataStore AWS::CloudTrail::EventDataStore Tue Apr 30 2024 00:47:08 GMT+0000 (Coordinated Universal Time) CREATE_FAILED myEventDataStore AWS::CloudTrail::EventDataStore Tue Apr 30 2024 00:47:09 GMT+0000 (Coordinated Universal Time) Resource handler returned message: "Invalid request provided: User: arn:aws:sts::xxxxxxxx:assumed-role/TEAM-IDC-APP-AmplifyRole-8ABQF4FsKQN2/BuildSession is not authorized to access this resource (Service: CloudTrail, Status Code: 400, Request ID: ec49a0a9-56ab-4eb5-b549-b53a90f29419)" (RequestToken: 7ee30e5b-6baa-5ca2-cc38-1a8dfb1a2733, HandlerErrorCode: InvalidRequest) CREATE_FAILED amplify-teamidcapp-main-04403-customcloudtrailLake-1M9T6PQ9GXKSF AWS::CloudFormation::Stack Tue Apr 30 2024 00:47:09 GMT+0000 (Coordinated Universal Time) The following resource(s) failed to create: [myEventDataStore]

This error occurs even when amplify is granted full administrator access in the delegated admin account

I can create the cloudtrail lake event datastore resource in the delegated admin account if i use vanilla cloudformation. But i get this error when deployed using amplify.

Expected behavior

Backend resource created successfully

Reproduction steps

  1. amplify add custom
  2. choose cloudformation
  3. add a cloudformation template for creating a cloudtrail lake event datastore
  4. amplify push -y

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

No response

Before submitting, please confirm:

robbycuenot commented 5 months ago

I'm facing this currently @tawoyinfa, deploying into a new organization. Do you have a suggested workaround?

ykethan commented 5 months ago

Hey, when creating custom resources using Amplify CLI, the CLI may require additional permissions outside the Amplify managed policy, AdministratorAccess-Amplify. For more information on providing additional permissions to your Amplify CLI IAM user refer to AWS IAM User documentation.

ykethan commented 4 months ago

Closing the issue due to inactivity. Do reach out to us if you are still experiencing this issue.

github-actions[bot] commented 4 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.