amazon-web-servicesaws-cliaws-amplifyaws-amplify-cliamplify-ios

Amplify CreateApp Permission


My goal is to finish initialising amplify on my Xcode project with amplify init command. In process of initialising amplify after I choose profile I get an AccessDeniedException.

Here is the whole error:

init failed
AccessDeniedException: User: arn:aws:iam::214284559168:user/etiketa_admin is not authorized to perform: amplify:CreateApp on resource: arn:aws:amplify:eu-central-1:214284559168:apps/*
    at Object.extractError (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.extractError (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
    at Request.callListeners (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:685:12) {
  message: 'User: arn:aws:iam::214284559168:user/etiketa_admin is not authorized to perform: amplify:CreateApp on resource: arn:aws:amplify:eu-central-1:214284559168:apps/*',
  code: 'AccessDeniedException',
  time: 2020-01-14T13:09:16.321Z,
  requestId: '1b1d6217-4c88-43db-9028-51951519d1d8',
  statusCode: 403,
  retryable: false,
  retryDelay: 65.49222401684153
} 

I know that I must set permission in IAM Management console for this user. But I'm not sure which permission is correct in order to get this working.

My question: What permission does user need to perform 'CreateApp on resource'?


Solution

  • You should set permission in IAM Management console for Amplify user. Below is Amplify CLI IAM policies for performing actions across all categories.

      {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "appsync:*",
                    "apigateway:POST",
                    "apigateway:DELETE",
                    "apigateway:PATCH",
                    "apigateway:PUT",
                    "cloudformation:CreateStack",
                    "cloudformation:CreateStackSet",
                    "cloudformation:DeleteStack",
                    "cloudformation:DeleteStackSet",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:DescribeStackSet",
                    "cloudformation:DescribeStackSetOperation",
                    "cloudformation:DescribeStacks",
                    "cloudformation:UpdateStack",
                    "cloudformation:UpdateStackSet",
                    "cloudfront:CreateCloudFrontOriginAccessIdentity",
                    "cloudfront:CreateDistribution",
                    "cloudfront:DeleteCloudFrontOriginAccessIdentity",
                    "cloudfront:DeleteDistribution",
                    "cloudfront:GetCloudFrontOriginAccessIdentity",
                    "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
                    "cloudfront:GetDistribution",
                    "cloudfront:GetDistributionConfig",
                    "cloudfront:TagResource",
                    "cloudfront:UntagResource",
                    "cloudfront:UpdateCloudFrontOriginAccessIdentity",
                    "cloudfront:UpdateDistribution",
                    "cognito-identity:CreateIdentityPool",
                    "cognito-identity:DeleteIdentityPool",
                    "cognito-identity:DescribeIdentity",
                    "cognito-identity:DescribeIdentityPool",
                    "cognito-identity:SetIdentityPoolRoles",
                    "cognito-identity:UpdateIdentityPool",
                    "cognito-idp:CreateUserPool",
                    "cognito-idp:CreateUserPoolClient",
                    "cognito-idp:DeleteUserPool",
                    "cognito-idp:DeleteUserPoolClient",
                    "cognito-idp:DescribeUserPool",
                    "cognito-idp:UpdateUserPool",
                    "cognito-idp:UpdateUserPoolClient",
                    "dynamodb:CreateTable",
                    "dynamodb:DeleteItem",
                    "dynamodb:DeleteTable",
                    "dynamodb:DescribeTable",
                    "dynamodb:PutItem",
                    "dynamodb:UpdateItem",
                    "dynamodb:UpdateTable",
                    "iam:CreateRole",
                    "iam:DeleteRole",
                    "iam:DeleteRolePolicy",
                    "iam:GetRole",
                    "iam:GetUser",
                    "iam:PassRole",
                    "iam:PutRolePolicy",
                    "iam:UpdateRole",
                    "lambda:AddPermission",
                    "lambda:CreateFunction",
                    "lambda:DeleteFunction",
                    "lambda:GetFunction",
                    "lambda:GetFunctionConfiguration",
                    "lambda:InvokeAsync",
                    "lambda:InvokeFunction",
                    "lambda:RemovePermission",
                    "lambda:UpdateFunctionCode",
                    "lambda:UpdateFunctionConfiguration",
                    "s3:*",
                    "amplify:*"
                ],
                "Resource": "*"
            }
        ]
    }
    

    This JSON file is located on this link: IAM Policy for CLI

    In order to get all required permissions for Amplify CLI you must create your own policy and copy this JSON to it. On how to create you own policy please refere to this link: Creating Policies on the JSON Tab