Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Amplify publish failed - Missing cloudfront permission for user

See original GitHub issue

Before opening, please confirm:

  • I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
  • I have searched for duplicate or closed issues.
  • I have read the guide for submitting bug reports.
  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v17.3

Amplify CLI Version

7.6.19

What operating system are you using?

Macos

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

None

Amplify Categories

hosting

Amplify Commands

publish

Describe the bug

Created user through config walkthrough. This created a user with [AdministratorAccess-Amplify] policy. Pulled existing backend. Add hosting using S3 and production.

Publish started for S3AndCloudFront An error occurred during the publish operation: User: arn:aws:iam::xxx:user/xx is not authorized to perform: cloudfront:GetCloudFrontOriginAccessIdentity on resource: arn:aws:cloudfront::xx:origin-access-identity/xx because no identity-based policy allows the cloudfront:GetCloudFrontOriginAccessIdentity action

Added CloudFrontFullAccess policy to user and the publish succeeded.

Expected behavior

No error.

Reproduction steps

amplify configure create new user amplify pull existing amplify add hosting s3 production amplify publish

GraphQL schema(s)

# Put schemas below this line

Log output

# Put your logs below this line

Additional information

No response

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:2
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
josefaidtcommented, Mar 16, 2022

Hey @ktmdan and @daichi-yamauchi 👋 thanks for raising this! I was able to successfully reproduce by using the following steps:

  1. create a new project with amplify init -y using a profile with AdministratorAccess-Amplify
  2. create a sample index.html file at dist/index.html
  3. create a sample build command
  4. amplify add hosting > s3 PROD
  5. amplify publish
  6. observe error

As noted this can be mitigated by providing an inline policy to the created IAM user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:GetCloudFrontOriginAccessIdentity"
            ],
            "Resource": "*"
        }
    ]
}
image

Although this policy is available in the managed policy, the condition requires the call to originate from CloudFormation which is causing the CLI to error on publish

{
    "Sid": "CLIManageviaCFNPolicy",
    "Effect": "Allow",
    "Action": [
        // ...
        "cloudfront:GetCloudFrontOriginAccessIdentity",
        // ...
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:CalledVia": [
                "cloudformation.amazonaws.com"
            ]
        }
    }
},

Marking as a bug 🙂

0reactions
0618commented, Aug 21, 2022

A temporary solution to this issue is to manually add the policy on IAM.

The easiest way is to add the following JSON to the inline policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
                "cloudfront:GetCloudFrontOriginAccessIdentity"
            ],
            "Resource": "arn:aws:cloudfront::xxxxxxxxxxxx:origin-access-identity/*"
        }
    ]
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

Amplify publish causes AccessDenied error - Stack Overflow
I suspect this has something to do with the S3 bucket not being in the default us-east-1 region and amplify not setting up...
Read more >
Resolve Access Denied errors from a CloudFront distribution ...
To troubleshoot Access Denied errors, first determine if your distribution's origin domain name is an S3 website endpoint or an S3 REST API ......
Read more >
Hosting - Overview - AWS Amplify Docs
This command walks through the steps to configure the different sections of the resources used in hosting, including S3, CloudFront, and publish ignore....
Read more >
Troubleshoot the 403 Forbidden error when uploading files ...
Permissions are missing for s3:PutObject to add an object or s3:PutObjectAcl to modify the object's ACL. · You don't have permission to use...
Read more >
How do I resolve the CloudFront error "No Access ... - YouTube
How do I resolve the CloudFront error "No Access-Control-Allow-Origin header?
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Empty Python lambda size is 3.4MB and in-line code editing on the Lambda console is impossible.

Next page

Unauthorized while performing update mutation on model GraphQL Transformer V2