amplify-backend
amplify-backend copied to clipboard
aws-amplify
First deployment of vite app failed
Environment information
Vite-react 1-click deploy
Describe the bug
Customer tweeted here: https://x.com/davidefish/status/1829206390080188445. They have the role assigned but they get the following error:
Reproduction steps
Deploy Vite-React sample
👋 I just tested the Vite-React quickstart guide and was able to deploy the backend without any errors. The outlined error can typically occur if the IAM role is missing permissions to deploy the necessary backend resources.
From the discussion on the X thread, it seems that the IAM role is using the correct managed IAM policy so that can be ruled out.
As next steps, I will recommend reviewing the Service Control Policies that could be enforced on the IAM user/role on an account level within the organization. The SCPs are used to guardrail permissions and can lead to such build failures due to missing permissions.
Adding to the comment above: I was able to reproduce the issue
reproduction steps:
- Open cloudformation console, select CDKToolkit → resources
- Open the
file-publishing-roleand deleted it - New deploy should throw this error
Marking as bug for better error messaging.As provided in the comment above this can occur due to Service Control Policies enforced on a account level.
Note, additionally observed the following logs
2024-09-24T23:37:37.673Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m71
2024-09-24T23:37:37.681Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m
2024-09-24T23:37:37.684Z [INFO]: amplify-d3ljpx5j1ptm55-main-branch-e3fa383e95: start: Building cc01911d0269d4080ea57505dc445dfc315ef7ad85d3d9d4ea1357858bff451d:current_account-current_region
73
2024-09-24T23:37:37.684Z [INFO]: amplify-d3ljpx5j1ptm55-main-branch-e3fa383e95: success: Built cc01911d0269d4080ea57505dc445dfc315ef7ad85d3d9d4ea1357858bff451d:current_account-current_region
74
2024-09-24T23:37:37.684Z [INFO]: amplify-d3ljpx5j1ptm55-main-branch-e3fa383e95: start: Publishing 3665466abf40cc747bff935f1cf2f49edd920e2cd12d45d502d3857488b3ff3e:current_account-current_region
75
2024-09-24T23:37:37.687Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m
76
2024-09-24T23:37:37.693Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m
77
2024-09-24T23:37:37.695Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m
78
2024-09-24T23:37:37.703Z [INFO]: amplify-d3ljpx5j1ptm55-main-branch-e3fa383e95: start: Building a183ddccbd956316c38ef97177b8f088ef0826f62023323f5ae6053d348ccffc:current_account-current_region
79
amplify-d3ljpx5j1ptm55-main-branch-e3fa383e95: success: Built a183ddccbd956316c38ef97177b8f088ef0826f62023323f5ae6053d348ccffc:current_account-current_region
80
2024-09-24T23:37:37.717Z [INFO]: [33mcurrent credentials could not be used to assume 'arn:aws:iam::<account-id>:role/cdk-hnb659fds-file-publishing-role-<account-id>-us-west-2', but are for the right account. Proceeding anyway.[39m
note: similarily error can occur on sandbox deploy if user has a proxy setup such as vpn
adding --debug to npx ampx sandbox provides this information.
to mitigate this adding the relevant pem file to node's cert storage should mitigate the issue. Consult with your IT team before modifying the trust store