search

awslabs / amplify-video

An open source Category Plugin for the AWS Amplify-CLI that makes it easy to deploy live and file based streaming video services and integrate them into your Amplify applications.
https://www.npmjs.com/package/amplify-category-video
Apache License 2.0
267 stars 56 forks source link

Amplify push fails on IAM permissions (yes I have read and followed your Wiki & docs). Please help! #239

Closed armenr closed 3 years ago

armenr commented 3 years ago

Describe the bug Amplify push fails when adding amplify video category.

To Reproduce Steps to reproduce the behavior:

  1. npm i amplify-category-video -g

  2. amplify add video

    ╰─ amplify add video
? Please select from one of the below mentioned services: Video-On-Demand
? Provide a friendly name for your resource to be used as a label for this category in the project: myvodstreams
? Select a system-provided encoding template, specify an already-created template name:  Default HLS Adaptive Bitrate
? Is this a production enviroment? Yes
? Do you want to protect your content with signed urls? No
? Do you want Amplify to create a new GraphQL API to manage your videos? (Beta) No
✔ All resources built.

  3. amplify push

  4. ERROR

CREATE_FAILED JobTemplate                                                                                         AWS::MediaConvert::JobTemplate Fri Apr 16 2021 17:45:23 GMT-0700 (Pacific Daylight Time) User: arn:aws:sts::<REDACTED_ACCOUNT>:assumed-role/us-west-2_![Screen Shot 2021-04-16 at 5 56 39 PM](https://user-images.githubusercontent.com/7662191/115097127-2de6e600-9edd-11eb-9e11-06c397401379.png)/amplifyadmin is not authorized to perform: mediaconvert:DescribeEndpoints on resource: arn:aws:mediaconvert:us-west-2:<REDACTED_ACCOUNT>:endpoints/* (Service: MediaConvert; Status Code: 403; Error Code: AccessDeniedException; Request ID: 01e1568c-da9a-4d21-87e1-b85751c6c358; Proxy: null)
CREATE_FAILED amplify-amplifirestaging-cristina-15905-videomyvodstreams-CD76ST-rMediaConvertTemplate-1LOZXYC78K7K AWS::CloudFormation::Stack     Fri Apr 16 2021 17:45:24 GMT-0700 (Pacific Daylight Time) The following resource(s) failed to create: [JobTemplate].

Expected behavior Expected behavior would be: "Resources built/deployed successfully"

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context

Here's what's really confusing me:

Following resources failed

Resource Name: JobTemplate (AWS::MediaConvert::JobTemplate)
Event Type: create
Reason: User: arn:aws:sts::<REDACTED_ACCOUNT>:assumed-role/us-west-2_0dnmPmHoR_Full-access/amplifyadmin is not authorized to perform: mediaconvert:DescribeEndpoints on resource: arn:aws:mediaconvert:us-west-2:<REDACTED_ACCOUNT>:endpoints/* (Service: MediaConvert; Status Code: 403; Error Code: AccessDeniedException; Request ID: 01e1568c-da9a-4d21-87e1-b85751c6c358; Proxy: null)

Looks like something, somewhere, is attempting to assume a role that's got insufficient privileges! So, I went into IAM and looked for that role, and found it:

Screen Shot 2021-04-16 at 5 56 39 PM

As you can see, this role does not have sufficient privileges to access secretsmanager OR mediaconvert (as described in the amplify-video repo Wiki page for "IAM").

                "mediaconvert:*",
                "secretsmanager:*",

Problems:

  1. I am kinda new to Amplify, so I have no idea WHAT created this role "0dnmPmHoR_Full-access/amplifyadmin"
  2. I have no clue how to fix this without MANUALLY editing the role and policy. That is to say, I can easily go in and amend the permissions through the IAM console, but that doesn't solve the problem at scale/operationally...that is to say, I couldn't go in and manually make these changes for every single backend or app/environment I create, every single time. What is the correct way to achieve this?

Any help would be much appreciated. Thank you! :)

armenr commented 3 years ago

Update:

If you are using amplify admin UI as your means of authentication, THAT creates this unexpected behavior. That is to say, maybe the docs should reflect the fact that using this plugin/successfully pushing the resources it creates is ONLY achievable when you are using a named AWS profile OR access key/secret key...Amplify Admin UI won't allow it because the admin UI creates that stupid role with the missing permissions, and will throw errors every bloody time.

wizage commented 3 years ago

Yeah this is a common occurrence. I will try to see what the console team can do to make this process smoother. We have seen this issue crop up before:

175

216

Going to keep this ticket open and work with @renebrandel to see what we can do to help users with this!

wizage commented 3 years ago

Also updated wiki with this answer for future reference answer can be found here: https://github.com/awslabs/amplify-video/wiki/Troubleshooting

armenr commented 3 years ago

@wizage - YOU, sir, are a scholar and a gentleman. I thank you for swift response and help :)

I will look into the issues you referenced. This is great stuff to know, and I am most grateful!