Amplify, User is not authorized to preform iam:passRole on resource
Question
So I'm trying to init an existing "react-ts" amplify project, which has about 8 services configured in it. When I run amplify push, everything seems to be good and successful except the following, which I get this error:
Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)
and here is the log on cloudwatch for the given address:
2021-10-08T06:28:37.448Z d30823f5-a9f8-4d7e-a823-dd53b298a2fb INFO Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
"RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
"LogicalResourceId": "MFALambdaInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
"code": "AccessDeniedException",
"time": "2021-10-08T06:28:37.445Z",
"requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
"statusCode": 400,
"retryable": false,
"retryDelay": 38.192028876441576
}
}
}
I tried to create the role "snsb927798344500-staging" and add the needed policies but once I try to re-run the amplify push command I get an error saying the snsb927798344500-staging already exist . so I think it is the amplify that creates the role on every push and it is deleting it after the process is failed. which is the reason I'm not able to see the "snsb927798344500-staging" role again after the push process.
1 answers
solution1
5 ACCPTED 2021-10-09 02:08:07
That specific message appears to be related to this GitHub issue on the CLI: https://github.com/aws-amplify/amplify-cli/issues/8363
We ran into the same issue today, and the below fixed it for us.
Solution copied here:
This issue is due to missing policy in the MFALambda role which was fixed in #7729. Could you try adding the following policy to your auth cloudformation and see if that fixes the issue. The part that you need to add is the policy with name corecocf3573d0_sns_pass_role_policy
# Snippet
MFALambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::If:
- ShouldNotCreateEnvResources
- corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: corecocf3573d0_totp_pass_role_policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
Fn::If:
- ShouldNotCreateEnvResources
- arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
# New policy
- PolicyName: corecocf3573d0_sns_pass_role_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource: !GetAtt SNSRole.Arn
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.