Open oste opened 3 years ago
As a follow up I am still receiving the same permission error after adding the above permissions to my service role
Error:
2021-09-14T03:21:55.177Z [INFO]: Starting SSR Build...
2021-09-14T03:23:07.002Z [ERROR]: AccessDenied: Access Denied
at Request.extractError (/root/.//node_modules/aws-sdk/lib/services/s3.js:714:35)
at Request.callListeners (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/root/.//node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/root/.//node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/root/.//node_modules/aws-sdk/lib/state_machine.js:14:12)
at /root/.//node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/root/.//node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/root/.//node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/root/.//node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: null,
time: 2021-09-14T03:23:06.868Z,
requestId: 'C72C7SSAWDF',
extendedRequestId: '8I03BXM04QotIN5g9xdc1s8q1jYJMzq5Nl/+CYbHVjbU/3bXOc=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 45.61368463766602
}
Permission policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CLISSRPolicy",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:RequestCertificate",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:CreateInvalidation",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:ListCloudFrontOriginAccessIdentities",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:ListFieldLevelEncryptionConfigs",
"cloudfront:ListFieldLevelEncryptionProfiles",
"cloudfront:ListInvalidations",
"cloudfront:ListPublicKeys",
"cloudfront:ListStreamingDistributions",
"cloudfront:UpdateDistribution",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:ListTagsForResource",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:PassRole",
"lambda:CreateFunction",
"lambda:EnableReplication",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:PublishVersion",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource",
"route53:ChangeResourceRecordSets",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:PutAccelerateConfiguration",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"iam:UpdateAssumeRolePolicy",
"iam:DeleteRolePolicy",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes",
"amplify:GetApp",
"amplify:GetBranch",
"amplify:UpdateApp",
"amplify:UpdateBranch"
],
"Resource": [
"*"
]
}
]
}
I tried adding the AdministratorAccess
policy and that didn't seem to fix the permission issue.
I am using a role within an organization account so maybe that is causing the issue.
Before opening, please confirm:
App Id
n/a
Region
n/a
Amplify Console feature
Backend builds
Describe the bug
Documentation listed on the following link describes adding
cloudfront:ListDistributionsByLambdaFunction
permission to the iam service role https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-deniedWhen attempting to add this to my service role I am getting
Invalid Action: The action cloudfront:ListDistributionsByLambdaFunction does not exist.
I am not sure if something should be used in its place or if this might cause problems.
Ideally, the console can add these permissions and role with the proper ARN but I wanted to make sure the manual process was properly documented.
I hope to be able to offer a merge request with the proper clarification.
Expected behavior
Docs do not include an invalid permission.
Reproduction steps
View iam permissions under https://github.com/aws-amplify/amplify-console/blob/master/FAQ.md#error-accessdenied-access-denied
Build Settings
No response
Additional information
No response