Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arn:aws:iam::aws:policy/AdministratorAccess-Amplify needs cognito-idp:ListIdentityProviders when using "amplify import auth" and continuous deployment #2285

Open
4 tasks done
jeffie9 opened this issue Sep 29, 2021 · 4 comments
Open
4 tasks done

arn:aws:iam::aws:policy/AdministratorAccess-Amplify needs cognito-idp:ListIdentityProviders when using "amplify import auth" and continuous deployment #2285

jeffie9 opened this issue Sep 29, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@jeffie9
Copy link

jeffie9 commented Sep 29, 2021

Before opening, please confirm:

App Id

No response

Region

No response

Amplify Console feature

Backend builds

Describe the bug

Build raises exception:
User: arn:aws:sts::123456789:assumed-role/amplifyconsole-backend-role/BuildSession is not authorized to perform: cognito-idp:ListIdentityProviders on resource: arn:aws:cognito-idp:us-east-1:123456789:userpool/us-east-1_XYZABC because no identity-based policy allows the cognito-idp:ListIdentityProviders action

Expected behavior

Should be able to connect repository and have first build get as far as running the framework build command (eg. npm run script build). Code build failures would be excused, but never makes it that far.

Reproduction steps

  1. Create app and add to amplify: amplify init
  2. Create or find existing Cognito Identity Pool and User Pool: amplify import auth
  3. Connect repository (eg. GitHub): amplify add hosting
    This requires to use or create role. Create new role using selected defaults (Amplify, arn:aws:iam::aws:policy/AdministratorAccess-Amplify)
  4. Build or rebuild app: Exception!

Build Settings

Using default generated amplify.yml

Additional information

As a workaround, add cognito-idp:ListIdentityProviders as inline policy to service role (eg. amplifyconsole-backend-role).
@github-actions
Copy link

Hi 👋, thanks for opening! While we look into this...

If this issue is related to custom domains, be sure to check the custom domains troubleshooting guide to see if that helps. Also, there is a more general troubleshooting FAQ that may be helpful for other questions.

Lastly, please make sure you've specified the App ID and Region in the issue!

@jeffie9
Copy link
Author

jeffie9 commented Sep 29, 2021

Still need to add environment variables as mentioned in #1271

@jeffie9
Copy link
Author

jeffie9 commented Sep 29, 2021
edited
Loading

After adding an frontend environment, I had to add this permission too: cognito-idp:GetUserPoolMfaConfig

@ghost
Copy link

ghost commented Oct 6, 2021

Hi Jeff👋🏽 , thanks for raising this and for providing the reproduction steps. We will try to reproduce the behavior and I'll update once I have more information.

@abhi7cr abhi7cr added the bug Something isn't working label Oct 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abhi7cr @jeffie9