amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

Permissions Error when recording events with KinesisStream provider from Analytics

Open abdallahshaban557 opened this issue 3 years ago • 5 comments

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

16.4

Amplify CLI Version

10.5.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

I am using the Kinesis Streams provider from the Analytics feature set - and I am getting an error when trying to use Analytics.record

{"__type":"AccessDeniedException","Message":"User: arn:aws:sts::613607431007:assumed-role/amplify-nextjsplayground-dev-205355-unauthRole/CognitoIdentityCredentials is not authorized to perform: kinesis:PutRecords on resource: arn:aws:kinesis:us-west-2:613607431007:stream/undefined because no identity-based policy allows the kinesis:PutRecords action"}

If I try updating the Project by using amplify update analytics I get an error from the CLI and I cannot proceed.

Expected behavior

Permission errors for the UnAuth role should not be shown when using the Kinesis Stream provider.

Reproduction steps

  1. Add amplify by using amplify add analytics
  2. Choose Kinesis Streams as the provider
  3. Allow Auth and UnAuth roles to access the Analytics resource
  4. Register the Kinesis pluggable into the NextJS app
  5. Try using the Analytics.record API
  6. The error shows up in the console

Project Identifier

07d8fa9a07058e596960d73808ea0ff5

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

  • [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [X] I have removed any sensitive information from my code snippets and submission.

abdallahshaban557 avatar Dec 20 '22 05:12 abdallahshaban557

Hey @abdallahshaban557 :wave: thanks for raising this! As we begin to look into this in more depth I have two follow-up questions:

From the error in the browser console, the resource ARN stands out as it ends with undefined, resource: arn:aws:kinesis:us-west-2:613607431007:stream/undefined. Is this value accurately captured in the aws-exports.js file?

If I try updating the Project by using amplify update analytics I get an error from the CLI and I cannot proceed.

What is the error you're receiving when attempting to update your analytics resource?

josefaidt avatar Dec 20 '22 16:12 josefaidt

Hi @josefaidt

It seems like the value for analytics isn't captured at all in my aws-exports.js file at all. I can only see Auth information reflected in the file.

When I try to update the analytics resource I get this error

🛑 File at path: '/Users/awshaban/Main_Folder/Github/JS/nextjs-playground/amplify/backend/analytics/nextjsplaygroundKinesis/pinpoint-cloudformation-template.json' does not exist

abdallahshaban557 avatar Dec 20 '22 17:12 abdallahshaban557

Note: upon further inspection I noticed after pushing analytics I do not see an analytics-related key in the aws-exports.js file which may be the culprit.

josefaidt avatar Dec 20 '22 18:12 josefaidt

It appears the endpoint is missing when the Analytics module from amplify-js attempts to make the PutRecords call with the KinesisStream client from aws-sdk image

Note: we do see the ARN is captured as an output in kinesis-cloudformation-template.json:

"Outputs": {
    "kinesisStreamArn": {
      "Value": {
        "Fn::GetAtt": [
          "KinesisStream",
          "Arn"
        ]
      }
    },
    "kinesisStreamId": {
      "Value": {
        "Ref": "KinesisStream"
      }
    },
    "kinesisStreamShardCount": {
      "Value": {
        "Ref": "kinesisStreamShardCount"
      }
    }
  }

and this is successfully captured in amplify-meta.json

"output": {
  "kinesisStreamId": "nextjsplaygroundKinesis-myenv",
  "kinesisStreamShardCount": "1",
  "kinesisStreamArn": "arn:aws:kinesis:us-east-1:814763596509:stream/nextjsplaygroundKinesis-myenv"
},

where amplify-js is missing the resource name. Marking as a bug 🙂

josefaidt avatar Dec 21 '22 00:12 josefaidt

Reproducting the steps as above:

Steps

  • amplify add analytics
  • Choose Kinesis Streams as the provider
  • Allow Auth and UnAuth roles to access the Analytics resource (not seeing exactly where the quick step to do this is)
  • Register the Kinesis configuration
  • Try using the record API
  • The error shows up in the console

My question pertains to the third step: any simple way to configure access to all roles without direct IAM roles modification. Our product supports: auth/unauth/idp + 5 different cognito userGroups... id prefer not to have to manually append Kinesis roles to each.

Upon calling the record api, I see this in my network tab:

{"__type":"AccessDeniedException","Message":"User: arn:aws:sts::805382180084:assumed-role/.../CognitoIdentityCredentials is not authorized to perform: kinesis:PutRecords on resource: arn:aws:kinesis:us-east-2:805382180084:stream/AgroviewAnalyticsStream because no identity-based policy allows the kinesis:PutRecords action"}

On this note, and more meta, is Amplify Analytics a supported package within Gen 1 with planned migratability to Gen 2, or should we explore alternatives to this instead of packages losing support channels.

charlieforward9 avatar Nov 14 '25 01:11 charlieforward9