Amplify publish failed - Missing cloudfront permission for user

[ktmdan]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v17.3

Amplify CLI Version

7.6.19

What operating system are you using?

Macos

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

None

Amplify Categories

hosting

Amplify Commands

publish

Describe the bug

Created user through config walkthrough. This created a user with [AdministratorAccess-Amplify] policy. Pulled existing backend. Add hosting using S3 and production.

Publish started for S3AndCloudFront An error occurred during the publish operation: User: arn:aws:iam::xxx:user/xx is not authorized to perform: cloudfront:GetCloudFrontOriginAccessIdentity on resource: arn:aws:cloudfront::xx:origin-access-identity/xx because no identity-based policy allows the cloudfront:GetCloudFrontOriginAccessIdentity action

Added CloudFrontFullAccess policy to user and the publish succeeded.

Expected behavior

No error.

Reproduction steps

amplify configure create new user amplify pull existing amplify add hosting s3 production amplify publish

GraphQL schema(s)

```graphql # Put schemas below this line ```

Log output

``` # Put your logs below this line ```

Additional information

No response

[daichi-yamauchi]

Hi, I've faced this issue and resolved it by the following way.

1. Open IAM Management Console
2. Create policy with service: cloudfront and action: GetCloudFrontOriginAccessIdentity
3. Attach the policy to user that be used in amplify cli ( default user name is amplify-xxxxx )

[josefaidt]

Hey @ktmdan and @daichi-yamauchi :wave: thanks for raising this! I was able to successfully reproduce by using the following steps:

1. create a new project with amplify init -y using a profile with AdministratorAccess-Amplify
2. create a sample index.html file at dist/index.html
3. create a sample build command
4. amplify add hosting > s3 PROD
5. amplify publish
6. observe error

As noted this can be mitigated by providing an inline policy to the created IAM user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:GetCloudFrontOriginAccessIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Although this policy is available in the managed policy, the condition requires the call to originate from CloudFormation which is causing the CLI to error on publish

{
    "Sid": "CLIManageviaCFNPolicy",
    "Effect": "Allow",
    "Action": [
        // ...
        "cloudfront:GetCloudFrontOriginAccessIdentity",
        // ...
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:CalledVia": [
                "cloudformation.amazonaws.com"
            ]
        }
    }
},

Marking as a bug 🙂

[kenbankspeng]

Just rebuilding a backend using the latest Amplify CLI release and a bit shocked to hit this issue.

A bit concerning that a regression on a primary workflow like this one gets through to mainline release and much more concerning that this primary amplify workflow has been broken since at least Mar 4.

Mitigation aside, wouldn't any defect against out-of-the-box core functionality be a P1 must-fix-now type of defect? And how can primary flow be broken for what will soon be 3 months?

Nevertheless, I appreciating greatly that the CLI has improved immensely over the last year. Keep going!

[0618]

Any updates on this issue?

[0618]

A temporary solution to this issue is to manually add the policy on IAM.

The easiest way is to add the following JSON to the inline policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
                "cloudfront:GetCloudFrontOriginAccessIdentity"
            ],
            "Resource": "arn:aws:cloudfront::xxxxxxxxxxxx:origin-access-identity/*"
        }
    ]
}