cloudfront:ListDistributionsByLambdaFunction invalid action

[oste]

Before opening, please confirm:

• [X] I have checked to see if my question is addressed in the FAQ.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

App Id

n/a

Region

n/a

Amplify Console feature

Backend builds

Describe the bug

Documentation listed on the following link describes adding cloudfront:ListDistributionsByLambdaFunction permission to the iam service role https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-denied

When attempting to add this to my service role I am getting Invalid Action: The action cloudfront:ListDistributionsByLambdaFunction does not exist.

I am not sure if something should be used in its place or if this might cause problems.

Ideally, the console can add these permissions and role with the proper ARN but I wanted to make sure the manual process was properly documented.

I hope to be able to offer a merge request with the proper clarification.

Expected behavior

Docs do not include an invalid permission.

Reproduction steps

View iam permissions under https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-denied

Build Settings

No response

Additional information

No response

[oste]

As a follow up I am still receiving the same permission error after adding the above permissions to my service role

Error:

2021-09-14T03:21:55.177Z [INFO]: Starting SSR Build...
2021-09-14T03:23:07.002Z [ERROR]: AccessDenied: Access Denied
                                  at Request.extractError (/root/.//node_modules/aws-sdk/lib/services/s3.js:714:35)
                                  at Request.callListeners (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:106:20)
                                  at Request.emit (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:78:10)
                                  at Request.emit (/root/.//node_modules/aws-sdk/lib/request.js:688:14)
                                  at Request.transition (/root/.//node_modules/aws-sdk/lib/request.js:22:10)
                                  at AcceptorStateMachine.runTo (/root/.//node_modules/aws-sdk/lib/state_machine.js:14:12)
                                  at /root/.//node_modules/aws-sdk/lib/state_machine.js:26:10
                                  at Request.<anonymous> (/root/.//node_modules/aws-sdk/lib/request.js:38:9)
                                  at Request.<anonymous> (/root/.//node_modules/aws-sdk/lib/request.js:690:12)
                                  at Request.callListeners (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
                                  code: 'AccessDenied',
                                  region: null,
                                  time: 2021-09-14T03:23:06.868Z,
                                  requestId: 'C72C7SSAWDF',
                                  extendedRequestId: '8I03BXM04QotIN5g9xdc1s8q1jYJMzq5Nl/+CYbHVjbU/3bXOc=',
                                  cfId: undefined,
                                  statusCode: 403,
                                  retryable: false,
                                  retryDelay: 45.61368463766602
                                  }

Permission policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CLISSRPolicy",
            "Effect": "Allow",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:RequestCertificate",
                "cloudfront:CreateCloudFrontOriginAccessIdentity",
                "cloudfront:CreateDistribution",
                "cloudfront:CreateInvalidation",
                "cloudfront:GetDistribution",
                "cloudfront:GetDistributionConfig",
                "cloudfront:ListCloudFrontOriginAccessIdentities",
                "cloudfront:ListDistributions",
                "cloudfront:ListDistributionsByWebACLId",
                "cloudfront:ListFieldLevelEncryptionConfigs",
                "cloudfront:ListFieldLevelEncryptionProfiles",
                "cloudfront:ListInvalidations",
                "cloudfront:ListPublicKeys",
                "cloudfront:ListStreamingDistributions",
                "cloudfront:UpdateDistribution",
                "cloudfront:TagResource",
                "cloudfront:UntagResource",
                "cloudfront:ListTagsForResource",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:CreateServiceLinkedRole",
                "iam:GetRole",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "lambda:CreateFunction",
                "lambda:EnableReplication",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:PublishVersion",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "lambda:ListTags",
                "lambda:TagResource",
                "lambda:UntagResource",
                "route53:ChangeResourceRecordSets",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "s3:CreateBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutAccelerateConfiguration",
                "s3:PutBucketPolicy",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging",
                "lambda:ListEventSourceMappings",
                "lambda:CreateEventSourceMapping",
                "iam:UpdateAssumeRolePolicy",
                "iam:DeleteRolePolicy",
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:GetQueueAttributes",
                "sqs:SetQueueAttributes",
                "amplify:GetApp",
                "amplify:GetBranch",
                "amplify:UpdateApp",
                "amplify:UpdateBranch"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

[oste]

I tried adding the AdministratorAccess policy and that didn't seem to fix the permission issue.

I am using a role within an organization account so maybe that is causing the issue.