search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.83k stars 822 forks source link

User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup #13901

Open fistofzen opened 3 months ago

fistofzen commented 3 months ago

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.12.4

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

When I do, amplify add env ... amplify push I am getting error

Name: SubscribedGroup (AWS::Cognito::UserPoolGroup), Event Type: create, Reason: Resource handler returned message: "User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:471112589329:userpool/eu-central-1_0WJJ5Y05O because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: fb4dc113-81ac-4742-841b-f90717fcc71a)" (RequestToken: 94514ba1-38ef-acfb-0010-bcba2ca044b6, HandlerErrorCode: GeneralServiceException), IsCustomResource: false

Expected behavior

Push to new env.

Reproduction steps

amplify push

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

No response

Before submitting, please confirm:

ykethan commented 3 months ago

Hey @fistofzen, this appears to be similar to https://github.com/aws-amplify/amplify-cli/issues/7582, currently being tracked as bug. The comment provides a workaround in using the custom-policies.json to add the permissions: https://github.com/aws-amplify/amplify-cli/issues/7582#issuecomment-1062437331

femmedecentral commented 1 month ago

FWIW I had the same error, and the workaround mentioned by @ykethan (I think) didn't apply to me because this was at the amplify push stage, not something contained in the permissions with a lambda function, which is what I think the custom-policies.json workaround applies to.

I finally got my new env to build, and my old one that was also producing a Cognito related build error (I was trying to create a Cognito group in this push), by searching in IAM for a role that had the same role name as the error (____Full-access) and then adding an inline policy that gave that role the permission to GetGroup for resources within my project (I had at least 2 different ARNs, so I just did a * to save myself some time since I thought GetGroup was low stakes).

I hope you were able to move beyond this bug, but documenting in case anyone else ever runs into this.

ykethan commented 1 month ago

@femmedecentral apologies on delay and thank you for the context. Marking this as bug to update the managed policy to add cognito-idp:GetGroup