amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup

Open fistofzen opened this issue 1 year ago • 2 comments

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.12.4

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

When I do, amplify add env ... amplify push I am getting error

Name: SubscribedGroup (AWS::Cognito::UserPoolGroup), Event Type: create, Reason: Resource handler returned message: "User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:471112589329:userpool/eu-central-1_0WJJ5Y05O because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: fb4dc113-81ac-4742-841b-f90717fcc71a)" (RequestToken: 94514ba1-38ef-acfb-0010-bcba2ca044b6, HandlerErrorCode: GeneralServiceException), IsCustomResource: false

Expected behavior

Push to new env.

Reproduction steps

amplify push

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

  • [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [X] I have removed any sensitive information from my code snippets and submission.

fistofzen avatar Aug 23 '24 19:08 fistofzen

Hey @fistofzen, this appears to be similar to https://github.com/aws-amplify/amplify-cli/issues/7582, currently being tracked as bug. The comment provides a workaround in using the custom-policies.json to add the permissions: https://github.com/aws-amplify/amplify-cli/issues/7582#issuecomment-1062437331

ykethan avatar Aug 26 '24 19:08 ykethan

FWIW I had the same error, and the workaround mentioned by @ykethan (I think) didn't apply to me because this was at the amplify push stage, not something contained in the permissions with a lambda function, which is what I think the custom-policies.json workaround applies to.

I finally got my new env to build, and my old one that was also producing a Cognito related build error (I was trying to create a Cognito group in this push), by searching in IAM for a role that had the same role name as the error (____Full-access) and then adding an inline policy that gave that role the permission to GetGroup for resources within my project (I had at least 2 different ARNs, so I just did a * to save myself some time since I thought GetGroup was low stakes).

I hope you were able to move beyond this bug, but documenting in case anyone else ever runs into this.

femmedecentral avatar Oct 02 '24 00:10 femmedecentral

@femmedecentral apologies on delay and thank you for the context. Marking this as bug to update the managed policy to add cognito-idp:GetGroup

ykethan avatar Oct 21 '24 20:10 ykethan