Reputation: 377
Permission problem accessing CodeCommit repository during build phase
I am struggling trying to create my first React app. I have connected the app to the CodeCommit repository but the build on the Amplify console fails with this message:
2020-12-14T09:25:04.155Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
The provision phase works perfectly:
I have created the service role AmplifyConsoleServiceRole-AmplifyRole as suggested on this guide and I am logged in as a user with AdministratorAccess authorization. Git commits to the repository from my PC console works perfectly.
It is not clear to me what IAM role the AWS Amplify Console is unable to assume. The AmplifyConsoleServiceRole-AmplifyRole which I have selected as Service role during the App creation I think. The permissions of this role are AdministratorAccess, as well. How can I check if the Trust Relationship is configured correctly?
Upvotes: 2
Views: 3715
Answers (2)
Reputation: 1253
I have spent about 3 days debugging this issue.
This error does can also be triggered if your GitHub token does not have sufficient permissions.
When creating a token from inside AWS Amplify it will be given the following permissions:
- Write access to files located at amplify.yml
- Read access to code and metadata
- Read and write access to checks, pull requests and repository hooks
If using terraform you will not successfully create the amplify app without the write permissions for repository hooks, but you can make without write permission for pull requests. Currently (Aug 4, 2024), fine grained tokens can't be granted checks permission through the web interface (despite it being listed in the docs) though I was able to successfully deploy once I had added read and write access for pull requests.
Upvotes: 1
Reputation: 377
I've contacted Amazon support. They answered that something is not working on their side using eu-south-1.
I've just tried on eu-central-1 and the build process worked as expected. So no there were no permissions problems but simply a bug. They told me that it will be addressed soon.
Edit: Amazon support team found the problem in the trust relationship to be used with the eu-south-1 region. It must be defined in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["amplify.eu-south-1.amazonaws.com","amplify.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
Upvotes: 5
Related Questions
- AWS Codecommit - fatal: unable to access : The requested URL returned error: 403
- Error 403 when cloning an AWS CodeCommit repository from EC2 instance
- error 403 while building the app in AWS amplify
- "Repository not found or permission denied" when creating AWS Codebuild Repository
- Giving the access to codecommit repositories
- How do i access CodeCommit in a separate account from Amplify
- IAM blocks access to AWS CodeCommit repo
- aws codebuild UPLOAD_ARTIFACTS - CLIENT_ERROR: Error uploading artifacts: AccessDenied: Access Denied status code: 403
- AWS CodeCommit Permissions Errors in CodePipeline
- AWS CodeCommit cross-account respository access not working