amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

User: XXX because no identity-based policy allows the cognito-idp:GetGroup action

Open GenGraphic opened this issue 1 year ago • 3 comments

Environment information

0 verbose cli C:\Program Files\nodejs\node.exe C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js
1 info using [email protected]
2 info using [email protected]
3 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\npmrc
4 silly config load:file:F:\Projects\pensionflow\.npmrc
5 silly config load:file:C:\Users\Eduardo\.npmrc
6 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\etc\npmrc
7 verbose title npm exec ampx info
8 verbose argv "exec" "--" "ampx" "info"
9 verbose logfile logs-max:10 dir:C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-
10 verbose logfile C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly logfile done cleaning log files
13 silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
14 http fetch GET 200 https://registry.npmjs.org/ampx 775ms (cache miss)
15 verbose stack Error: could not determine executable to run
15 verbose stack     at getBinFromManifest (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\get-bin-from-manifest.js:17:23)
15 verbose stack     at exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\index.js:202:15)
15 verbose stack     at async Npm.exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\npm.js:207:9)
15 verbose stack     at async module.exports (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\cli\entry.js:74:5)
16 verbose pkgid [email protected]
17 error could not determine executable to run
18 verbose cwd F:\Projects\pensionflow
19 verbose os Windows_NT 10.0.22631
20 verbose node v20.17.0
21 verbose npm  v10.8.3
22 verbose exit 1
23 verbose code 1
24 error A complete log of this run can be found in: C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log

Describe the bug

I created a new env and i tried to push the backend to it. Resulting in the following error: Resource handler returned message: "User: arn:aws:sts::XXXXX:assumed-role/eu-central-1_K3YXJVKQN_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:XXXXX:userpool/eu-central-1_He0G2wrhm because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: abfcf153-b16b-44a8-85a7-84ead72265a6)" (RequestToken: 6b86c0b7-4b2a-ce88-1139-b91d18ccd86c, HandlerErrorCode: GeneralServiceException)

Reproduction steps

amplify push

GenGraphic avatar Oct 18 '24 11:10 GenGraphic

thanks for raising this! I'm going to transfer this over to our CLI repository as this appears to be Gen 1 CLI issue.

ykethan avatar Oct 18 '24 14:10 ykethan

Hey @GenGraphic, thank you for reaching out. It appears the eu-central-1_K3YXJVKQN_Full-access role is trying to perform a GetGroup on a Cognito userpool resource. To mitigate the issue, you should be able to add the cognito-idp:GetGroup as an inline policy on the eu-central-1_K3YXJVKQN_Full-access role in the AWS IAM console.

ykethan avatar Oct 18 '24 14:10 ykethan

Hi @ykethan. Thank you for the fast reply, this is much appreciated. what we are trying to do is to duplicate our production env, and use it as development env. I created the new env and i get this error while trying to push the backend to the new created env. So a new user pool is created (along with functions, Tables, S3), and trying to get and create a new AdminsGroup (like we have on our prod env). So adding an inline policy is the fisrt thing i tried, but i cant give it the right Resource, since the i don't know the new user pool ARN because it doesn't exist yet. Tank you!

GenGraphic avatar Oct 19 '24 05:10 GenGraphic

@GenGraphic since the new resource name would contain a random hash value, adding the inline policy may not be idea. but you could try adding the cognito-idp:GetGroup action similar to the managed policy for Amplify. https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess-Amplify.html

ykethan avatar Oct 21 '24 20:10 ykethan

@ykethan Thanks for your Replay. I already gave the role Administrator policy, this means the role should have full access. I managed to solve the problem by adding the cognito-idp:GetGroup and cognito-idp:AddGroup to all resources (this included also the future ones) and the new env got successfully created.

GenGraphic avatar Oct 23 '24 07:10 GenGraphic

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Oct 23 '24 07:10 github-actions[bot]