Closed zugger14 closed 2 years ago
I have also been hit with this issue. Since I use PR previews with SSR, every PR creates a new CloudFront distribution. Thus, after ~25 PRs, we get build failures.
In Amplify, there is a setting to delete old deployments once the branch has been merged. In my opinion, this should delete the underlying resources that are created during those merges.
Manually disabling then deleting the CloudFront distributions that were associated with Lambda@Edge functions worked for me. At this point, I am tempted to write some custom scripts to either delete old distributions (and potentially other resources) on cron-job or to delete on merge in a GitHub Action.
I'd recommend renaming this issue to something related to "Merging SSR PR previews doesn't clean up created resources" or something like that as I believe that's the underlying issue.
Good luck!
Thank you for your kind information but i have already manually deleted Cloudfront distributions associated with Lambda@Edge functions. And still it's throwing me access denied.. i have also tried the same code with the same build settings on another Aws account and it was successfully deployed.So for now, i have requested a quota increase rate for Cloudfront distributions and Lambda@Edge.
Hi @zugger14, does this help? https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-denied
For me, it was that the standard Amplify - Backend Deployment
service role didn't have all the permissions required for an SSR Nextjs deployment. I had to attach the AdministratorAccess
policy to my Amplify service role to make it work.
I think this issue is a duplicate of https://github.com/aws-amplify/amplify-console/issues/2192
In my situation I was first not able to clone the repo during the BUILD step getting fatal: unable to access 'https://git-codecommit.us-east-2.amazonaws
I was able to resolve that by adding AWSCodeCommitReadOnly
permission to my service role
However, I then ran into the issue described in this issue [ERROR]: AccessDenied: Access Denied
The odd thing is that even adding AdministratorAccess
permission did not make a difference this time.
Same issue here -- provided AdministratorAccess to the backend role as part of troubleshooting and still get AccessDenied error on SSR build.
Just wanted to bump this since it's been a couple weeks and I am still experiencing this.
@oste not ideal but we gave up in the end and re-init all of Amplify config from scratch -- thankfully we're still in MVP / proof of concept stage and could afford to do that.
Still had to provide AdministratorAccess -- don't like providing elevated privilges but it is what it is until Amplify team become more responsive and do some root cause analysis.
I actually fixed this for one Amplify project in one AWS account, but now I'm facing the issue again in a different account and even assigning AdministratorAccess
isn't fixing it this time.
For me and many others, this basically means that deploying SSR Next.js apps on Amplify does not work.
Spent some more time on this, and I think that the Access Denied
is happening when the Amplify role tries to update the s3 bucket to use transfer acceleration.
The operation - PutAccelerateConfiguration
should be allowed given that the service role has full AdministratorAccess
to all resources.
However, if I go to the s3 console myself (again, with full Admin access) and create a bucket, then even I am unable to update the bucket to use transfer acceleration.
Hi @cpv123 can you please share your appId so I can take a closer look, thanks!
I was able to successfully set the transfer acceleration for both new and existing buckets.
It does look like it fails on an S3 related task based on the error.
@Athena96 my Amplify appId is d23o5sr1zur08j
I spoke with AWS technical support this morning and walked them through the full problem whilst screen-sharing. I showed them both the Amplify failure and the S3 bucket problem alone. They're reaching out to another internal team and will get back to me.
I'll update in here if I get back anything good 🙏
Has there been any progress understanding why this permission issue exists?
@oste still not much clarity, although the AWS customer support did get it working for me.
The problem was in fact with S3 permissions - my account was not allowing transfer acceleration to be enabled on any S3 buckets which was causing the Amplify deployment to fail.
Why my account had this issue is not entirely clear to me - I was told that "the account was pending verification in the system which caused the S3 transfer acceleration capability to be blocked on the account", despite the account being in use for about 8 years. I've asked AWS support exactly how and why it was in this state, and I'll let you know when I hear back.
Maybe it's an issue with very old accounts. I say this because I actually created a new account just to debug this issue and it worked fine, and I have another AWS account that's only about 2 years old and there's no issue there either.
I'm facing the same issue. My app id is d1zbf83kttrm4k
, I've given the full AdministratorAccess
to my user role Amplify - Backend Deployment
and it still barfs with an Access Denied
error. It's extremely frustrating to deal with and after searching for hours and looking at other people complaining on this open issue as well, it seems to me that there is no clear fix to this nor any guidelines on how to work around it.
This leaves me with no option but to switch to a different hosting platform.
Having same issue. Tried both adding full admin access to service account and enabling transfer acceleration. Interestingly dev environment is deployed without any issues but prod always fails at this step. Environments are identical except few different ENV vars. In my case issue seems like related to cloud frount:
at Request.extractError (/root/.//node_modules/@sls-next/aws-cloudfront/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)
In my case this was account limitation issue. Recently my account was blocked due to suspicious activity. Account have been restored but seems like completely and I still don't have full rights to my own cloudfront distribution and this is causes Amplify deployment error.
I'm facing the same issue. My app id is
d1zbf83kttrm4k
, I've given the fullAdministratorAccess
to my user roleAmplify - Backend Deployment
and it still barfs with anAccess Denied
error. It's extremely frustrating to deal with and after searching for hours and looking at other people complaining on this open issue as well, it seems to me that there is no clear fix to this nor any guidelines on how to work around it.This leaves me with no option but to switch to a different hosting platform.
Yes.. still happened to me at 23/12/2021. My existing project which deployed couple of times with no problem, suddenly having Access Denied
error. Having the service role with AdminstratorAccess
, attached the newly created policy with all the permission stated here https://github.com/aws-amplify/amplify-console/blob/main/FAQ.md#error-accessdenied-access-denied, still having Access Denied. I totally fed up on this, create a sudden "IT SHOULD WORK, CAUSE IT WORK BEFORE, BUT NOW IT NOT WORK ANYMORE" problem for me
My app details: appId: dcuydyh2ys8c4 region: ap-southeast-1
Full document here: https://github.com/aws-amplify/amplify-console/issues/1876#issuecomment-999690059
Spent some more time on this, and I think that the
Access Denied
is happening when the Amplify role tries to update the s3 bucket to use transfer acceleration.The operation -
PutAccelerateConfiguration
should be allowed given that the service role has fullAdministratorAccess
to all resources.However, if I go to the s3 console myself (again, with full Admin access) and create a bucket, then even I am unable to update the bucket to use transfer acceleration.
Yes noticed this, I also cant enable the Transfer Acceleration for ANY bucket even though I am the Root admin of the account inside the AWS Management Console.
Even I create a new bucket in S3 console, enable the Transfer Acceleration, also cannot, having Access Denied too, therefore this is the root cause of "Nextjs SSR build, access denied problem".
And where should I get help for this? What should I do to solve this?
Having same issue. Tried both adding full admin access to service account and enabling transfer acceleration. Interestingly dev environment is deployed without any issues but prod always fails at this step. Environments are identical except few different ENV vars. In my case issue seems like related to cloud frount:
at Request.extractError (/root/.//node_modules/@sls-next/aws-cloudfront/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)
In my case this was account limitation issue. Recently my account was blocked due to suspicious activity. Account have been restored but seems like completely and I still don't have full rights to my own cloudfront distribution and this is causes Amplify deployment error.
So how you solve this ya? Like where can I get help? Or can I disable the transfer acceleration thing? I also have a same problem too
@kenchoong I have contacted AWS support twice. First time they added permissions to enable transfer acceleration and second time they lifted account restrictions after suspension. It took quite some time for them to fix issue though....
@aleksey-shmatov I see. thank you very much. Seems like no other way except contact the support.
These are related: https://github.com/aws-amplify/amplify-hosting/issues/1876
We have since resolved this issue so closing this.
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Before opening, please confirm:
App Id
d3dh32c6fp1s0y
Region
eu-cental-1
Amplify Console feature
Not applicable
Describe the bug
building next js app in amplify returns Starting SSR Build... [ERROR]: AccessDenied: Access Denied.
Expected behavior
the starting SSR build should happen without errors
Reproduction steps
deploy a next.js SSR app using amplify console and in build steps the error comes in.
Build Settings
Additional information
i think the amplify is not letting me to create cloudfront distributions due to 25 number of limit of cloudfronts but i have deleted them and maybe the amplify is not detecting is my only guess.