Questions: backend setup steps: awsmobile init and AppSyncServiceRole access

[Jun711]

Hi, thanks for answering my questions.

1) I ran the second step: awsmobile init and it finished with this message: Success! your project is now initialized with awsmobilejs

However, I wasn't asked for the following information. How to set that up? Thanks

Provide the following details and name the project:

Source directory: Distribution directory that stores build artifacts: dist Build command: ng build --prod Start command for local test run:

2) and, when running ./backend/setup.sh, I got this error even though I am using the admin account. However, this is our first time using AppSync. Is there any configuration that I have to do? Please point me to the right direction. Thanks An error occurred (AccessDenied) when calling the CreateRole operation: User:... is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::...:role/chatangular-mobilehub-2117456392-AppSyncServiceRole

[KoldBrewEd]

It looks like the user credentials you have configured in your AWS CLI doesn't have permissions to create the role that allows AppSync access to DynamoDB. Try with an user that have IAM permissions to create a role, that should do the trick.

[Jun711]

Is there anything that I have to configure on aws console under AppSync or DynamoDB?

My AWS CLI contains the user credentials of the main user who has IAM permissions as I used that account to create a role for MobileHub.

[KoldBrewEd]

Can you create the sample Events API in the AppSync console with the same user?

[Jun711]

You mean Create AWS AppSync API in the AppSync console? I could create an API using the same user.

aws configure command shows that I am using the API Key for the same user too.

and, I could create database tables using the same user: DDB Table created

[KoldBrewEd]

It looks like the sample API doesn't create a role. You can try to create a role in the IAM Console with the same credentials and the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                <your DDB tables ARNs separated by comma here>,
                <your UserConversations/index/conversationId-index ARN here>
            ]
        }
    ]
}

And this trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appsync.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

And then modify line 63 of the setup.sh script to explicitly assign the newly created role ARN to the variable SERVICE_ROLE_ARN.

With regards to the Mobile CLI, make sure you have the latest version and run the command "awsmobile init" again, it should prompt you for the questions.

[Jun711]

ok, will give that a try. thanks.

my awsmobile --version returns 1.0.16 which is one minor lower than the latest one: 1.0.17. will try with 1.0.17.

will report back later. thanks again.

[Jun711]

@awsed Where can I find this <your UserConversations/index/conversationId-index ARN here>?

[KoldBrewEd]

arn:aws:dynamodb:<region>:<account>:table/<UserConversations table name>/index/conversationId-index

[Jun711]

ok, I added 5 entries to the policy resources. Conversations, Messages, UserConversations, Users and UserConversations/index/conversationId-index.

Regarding the trust relationship for the roles, should I replace or add in? and I have two roles created: chatangular_smsverification_MOBILEHUB and chatangular_auth_MOBILEHUB. Should I modify both trust relationships?

[KoldBrewEd]

The trust relationship will define trusted entities/services that can assume the role

[Jun711]

now, I can create role but there is this error: (AccessDeniedException) when calling the CreateGraphqlApi operation when running the setup.sh

sorry, I think I have been using a different user with my cli which I thought to be the admin. I signed in on the console using the admin and thus, I thought I was using the right one on the cli. What permission do I have to grant to the user to enable the use of CreateGraphqlApi.

[KoldBrewEd]

It doesn't look like you are using the same credentials if you can create IAM roles and AppSync APIs in the console but cannot do it using the CLI. Recommend to double check the Access Key and Secret Access Key on ~/.aws/credentials or create new Access/Secret keys.

Alternatively you can use an EC2 instance profile that assume a role with permissions to create/modify AppSync, Cognito User Pools and DDB resources and run the script from there.

[Jun711]

yes, you are right. I just realized that. really sorry about that. The account given me is the secondary account of the admin which isn't allowed all the permissions. what permission specifically that I need to have to use CreateGraphqlApi ?

[KoldBrewEd]

The service is in preview is it doesn't show in the Visual Policy Editor or Simulator:

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html?icmpid=docs_iam_console#troubleshoot_policies-unrecognized-visual

Suggest to test with appsync:CreateGraphqlApi