Amplify frontend build returns Starting SSR Build... [ERROR]: AccessDenied: Access Denied

[zugger14]

Before opening, please confirm:

• [X] I have checked to see if my question is addressed in the FAQ.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

App Id

d3dh32c6fp1s0y

Region

eu-cental-1

Amplify Console feature

Not applicable

Describe the bug

building next js app in amplify returns Starting SSR Build... [ERROR]: AccessDenied: Access Denied.

Expected behavior

the starting SSR build should happen without errors

Reproduction steps

deploy a next.js SSR app using amplify console and in build steps the error comes in.

Build Settings

version: 1
frontend:
  phases:
    preBuild:
      commands:
        - npm install
    build:
      commands:
        - npm run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - node_modules/**/*

Additional information

i think the amplify is not letting me to create cloudfront distributions due to 25 number of limit of cloudfronts but i have deleted them and maybe the amplify is not detecting is my only guess.

[quinnturner]

I have also been hit with this issue. Since I use PR previews with SSR, every PR creates a new CloudFront distribution. Thus, after ~25 PRs, we get build failures.

In Amplify, there is a setting to delete old deployments once the branch has been merged. In my opinion, this should delete the underlying resources that are created during those merges.

Manually disabling then deleting the CloudFront distributions that were associated with Lambda@Edge functions worked for me. At this point, I am tempted to write some custom scripts to either delete old distributions (and potentially other resources) on cron-job or to delete on merge in a GitHub Action.

I'd recommend renaming this issue to something related to "Merging SSR PR previews doesn't clean up created resources" or something like that as I believe that's the underlying issue.

Good luck!

[zugger14]

Thank you for your kind information but i have already manually deleted Cloudfront distributions associated with Lambda@Edge functions. And still it's throwing me access denied.. i have also tried the same code with the same build settings on another Aws account and it was successfully deployed.So for now, i have requested a quota increase rate for Cloudfront distributions and Lambda@Edge.

[siegerts]

Hi @zugger14, does this help? https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-denied

[cpv123]

For me, it was that the standard Amplify - Backend Deployment service role didn't have all the permissions required for an SSR Nextjs deployment. I had to attach the AdministratorAccess policy to my Amplify service role to make it work.

I think this issue is a duplicate of https://github.com/aws-amplify/amplify-console/issues/2192

[oste]

In my situation I was first not able to clone the repo during the BUILD step getting fatal: unable to access 'https://git-codecommit.us-east-2.amazonaws I was able to resolve that by adding AWSCodeCommitReadOnly permission to my service role

However, I then ran into the issue described in this issue [ERROR]: AccessDenied: Access Denied

The odd thing is that even adding AdministratorAccess permission did not make a difference this time.

[lack-of-gravitas]

Same issue here -- provided AdministratorAccess to the backend role as part of troubleshooting and still get AccessDenied error on SSR build.

[oste]

Just wanted to bump this since it's been a couple weeks and I am still experiencing this.

[lack-of-gravitas]

@oste not ideal but we gave up in the end and re-init all of Amplify config from scratch -- thankfully we're still in MVP / proof of concept stage and could afford to do that.

Still had to provide AdministratorAccess -- don't like providing elevated privilges but it is what it is until Amplify team become more responsive and do some root cause analysis.

[cpv123]

I actually fixed this for one Amplify project in one AWS account, but now I'm facing the issue again in a different account and even assigning AdministratorAccess isn't fixing it this time.

For me and many others, this basically means that deploying SSR Next.js apps on Amplify does not work.

[cpv123]

Spent some more time on this, and I think that the Access Denied is happening when the Amplify role tries to update the s3 bucket to use transfer acceleration.

The operation - PutAccelerateConfiguration should be allowed given that the service role has full AdministratorAccess to all resources.

However, if I go to the s3 console myself (again, with full Admin access) and create a bucket, then even I am unable to update the bucket to use transfer acceleration.

[Athena96]

Hi @cpv123 can you please share your appId so I can take a closer look, thanks!

[oste]

I was able to successfully set the transfer acceleration for both new and existing buckets.

It does look like it fails on an S3 related task based on the error.

[cpv123]

@Athena96 my Amplify appId is d23o5sr1zur08j

I spoke with AWS technical support this morning and walked them through the full problem whilst screen-sharing. I showed them both the Amplify failure and the S3 bucket problem alone. They're reaching out to another internal team and will get back to me.

I'll update in here if I get back anything good 🙏

[oste]

Has there been any progress understanding why this permission issue exists?

[cpv123]

@oste still not much clarity, although the AWS customer support did get it working for me.

The problem was in fact with S3 permissions - my account was not allowing transfer acceleration to be enabled on any S3 buckets which was causing the Amplify deployment to fail.

Why my account had this issue is not entirely clear to me - I was told that "the account was pending verification in the system which caused the S3 transfer acceleration capability to be blocked on the account", despite the account being in use for about 8 years. I've asked AWS support exactly how and why it was in this state, and I'll let you know when I hear back.

Maybe it's an issue with very old accounts. I say this because I actually created a new account just to debug this issue and it worked fine, and I have another AWS account that's only about 2 years old and there's no issue there either.

[sanchay0]

I'm facing the same issue. My app id is d1zbf83kttrm4k, I've given the full AdministratorAccess to my user role Amplify - Backend Deployment and it still barfs with an Access Denied error. It's extremely frustrating to deal with and after searching for hours and looking at other people complaining on this open issue as well, it seems to me that there is no clear fix to this nor any guidelines on how to work around it.

This leaves me with no option but to switch to a different hosting platform.

[aleksey-shmatov]

Having same issue. Tried both adding full admin access to service account and enabling transfer acceleration. Interestingly dev environment is deployed without any issues but prod always fails at this step. Environments are identical except few different ENV vars. In my case issue seems like related to cloud frount:

at Request.extractError (/root/.//node_modules/@sls-next/aws-cloudfront/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)

In my case this was account limitation issue. Recently my account was blocked due to suspicious activity. Account have been restored but seems like completely and I still don't have full rights to my own cloudfront distribution and this is causes Amplify deployment error.

[kenchoong]

I'm facing the same issue. My app id is d1zbf83kttrm4k, I've given the full AdministratorAccess to my user role Amplify - Backend Deployment and it still barfs with an Access Denied error. It's extremely frustrating to deal with and after searching for hours and looking at other people complaining on this open issue as well, it seems to me that there is no clear fix to this nor any guidelines on how to work around it.

This leaves me with no option but to switch to a different hosting platform.

Yes.. still happened to me at 23/12/2021. My existing project which deployed couple of times with no problem, suddenly having Access Denied error. Having the service role with AdminstratorAccess, attached the newly created policy with all the permission stated here https://github.com/aws-amplify/amplify-console/blob/main/FAQ.md#error-accessdenied-access-denied, still having Access Denied. I totally fed up on this, create a sudden "IT SHOULD WORK, CAUSE IT WORK BEFORE, BUT NOW IT NOT WORK ANYMORE" problem for me

My app details: appId: dcuydyh2ys8c4 region: ap-southeast-1

Full document here: https://github.com/aws-amplify/amplify-console/issues/1876#issuecomment-999690059

[kenchoong]

Spent some more time on this, and I think that the Access Denied is happening when the Amplify role tries to update the s3 bucket to use transfer acceleration.

The operation - PutAccelerateConfiguration should be allowed given that the service role has full AdministratorAccess to all resources.

However, if I go to the s3 console myself (again, with full Admin access) and create a bucket, then even I am unable to update the bucket to use transfer acceleration.

Yes noticed this, I also cant enable the Transfer Acceleration for ANY bucket even though I am the Root admin of the account inside the AWS Management Console.

Even I create a new bucket in S3 console, enable the Transfer Acceleration, also cannot, having Access Denied too, therefore this is the root cause of "Nextjs SSR build, access denied problem".

And where should I get help for this? What should I do to solve this?

[kenchoong]

Having same issue. Tried both adding full admin access to service account and enabling transfer acceleration. Interestingly dev environment is deployed without any issues but prod always fails at this step. Environments are identical except few different ENV vars. In my case issue seems like related to cloud frount:

at Request.extractError (/root/.//node_modules/@sls-next/aws-cloudfront/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)

In my case this was account limitation issue. Recently my account was blocked due to suspicious activity. Account have been restored but seems like completely and I still don't have full rights to my own cloudfront distribution and this is causes Amplify deployment error.

So how you solve this ya? Like where can I get help? Or can I disable the transfer acceleration thing? I also have a same problem too

[aleksey-shmatov]

@kenchoong I have contacted AWS support twice. First time they added permissions to enable transfer acceleration and second time they lifted account restrictions after suspension. It took quite some time for them to fix issue though....

[kenchoong]

@aleksey-shmatov I see. thank you very much. Seems like no other way except contact the support.

[ferdingler]

These are related: https://github.com/aws-amplify/amplify-hosting/issues/1876

[swaminator]

We have since resolved this issue so closing this.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.