aws-amplify
ssm:AddTagsToResource is not included in the amplify admin policies
How did you install the Amplify CLI?
yarn
If applicable, what version of Node.js are you using?
v20.9.0
Amplify CLI Version
12.10.1
What operating system are you using?
Mac
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
Yes, custom category to expose api endpoint via ssm param, so cognito trigger functions can get access/config of API.
I believe this is the relevant piece in the template that causing deployment failure:
"Resources": {
"GraphQLEndpointParam": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": {
"Fn::Join": [
"",
[
"amplify/GraphQLEndpoint-",
{
"Ref": "env"
}
]
]
},
"Type": "String",
"Value": {
"Ref": "apixxxGraphQLAPIEndpointOutput"
},
"Description": "GraphQL API Endpoint for the current stage"
}
},
Describe the bug
Copied from the custom category template deployment
Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/us-east-1_aPwDmYAQx_Full-access/amplifyadmin is not authorized to perform: ssm:AddTagsToResource on resource: arn:aws:ssm:us-east-1:xxx:parameter/amplify/GraphQLEndpoint-prod because no identity-based policy allows the ssm:AddTagsToResource action (Service: Ssm, Status Code: 400, Request ID: b6c1b086-b903-42e4-ac3c-01da8c35a4d0)" (RequestToken: 9235f63d-1fc8-da09-7169-f926d777e87a, HandlerErrorCode: GeneralServiceException)
Expected behavior
amplify role should have permissions correctly configured
Reproduction steps
- Add a custom category that creates SSM parameter
- Try to deploy
🛑 Resource is not in the state stackUpdateComplete
Name: GraphQLEndpointParam (AWS::SSM::Parameter), Event Type: create, Reason: Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/us-east-1_aPwDmYAQx_Full-access/amplifyadmin is not authorized to perform: ssm:AddTagsToResource on resource: arn:aws:ssm:us-east-1:xxx:parameter/amplify/GraphQLEndpoint-prod because no identity-based policy allows the ssm:AddTagsToResource action (Service: Ssm, Status Code: 400, Request ID: b6c1b086-b903-42e4-ac3c-01da8c35a4d0)" (RequestToken: 9235f63d-1fc8-da09-7169-f926d777e87a, HandlerErrorCode: GeneralServiceException), IsCustomResource: false
Project Identifier
No response
Log output
# Put your logs below this line
Additional information
No response
Before submitting, please confirm:
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
- [X] I have removed any sensitive information from my code snippets and submission.
The visual editor also complained that "lambda:GetLayerVersionbyArn" doesn't exit in Full-access-Policy
Hey @OperationalFallacy, thank you for reaching out. This look like a miss on AdministratorAccess-Amplify policy (AmplifySSMCalls) when the root stack tags are propagated to the nested stack, marking as bug.
But to mitigate the issue we should be able to add an inline policy allowing the SSM tags permission.
in regards to "lambda:GetLayerVersionbyArn" i have reached out to the appropriate team.
On a side note did notice the Name Join has amplify/GraphQLEndpoint- you will need to add /amplify/GraphQLEndpoint- as the qualified name expects a /
Hey @OperationalFallacy, Amplify managed policy supports permissions for native categories like api, auth, storage. For custom use cases, customers will have to add permissions in their inline policy. Add ssm:AddTagsToResource permissions as a separate inline policy in this role us-east-1_aPwDmYAQx_Full-access
@bzsurbhi I'm confused, what is amplify managed policy? This is also a not custom case - this is amplify cli fails to make updates because some ssm permissions missing.