Error running amplify push

[Radagan]

Thank you for providing what looks to be a great example of Amplify PubSub, unfortunately I'm having a little difficulty getting it to push.

Here's the error I encounter:

CREATE_IN_PROGRESS MFALambdaInputs Custom::LambdaCallout Thu Aug 04 2022 17:24:10 GMT-0500 (Central Daylight Time) Resource creation Initiated                                                                                                                                                                                               
CREATE_FAILED      MFALambdaInputs Custom::LambdaCallout Thu Aug 04 2022 17:24:10 GMT-0500 (Central Daylight Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2022/08/04/[$LATEST]a7e9081734a84db0805df63d83ac7d7c (RequestId: 66da938d-7b43-4aaf-9986-90d382a220aa)
⠏ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE DeploymentAPIGWamplifytoolkitc98b7934 AWS::ApiGateway::Deployment Thu Aug 04 2022 17:24:10 GMT-0500 (Central Daylight Time) 
⠋ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE UserPoolClientLambdaPolicy AWS::IAM::Policy Thu Aug 04 2022 17:24:13 GMT-0500 (Central Daylight Time) 
⠙ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE functionechoApiPermissionamplifytoolkit                     AWS::Lambda::Permission Thu Aug 04 2022 17:24:19 GMT-0500 (Central Daylight Time) 
CREATE_COMPLETE functionaddIotPolicyToFederatedUserPermissionamplifytoolkit AWS::Lambda::Permission Thu Aug 04 2022 17:24:19 GMT-0500 (Central Daylight Time) 
⠸ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS UserPoolClientLogPolicy AWS::IAM::Policy Thu Aug 04 2022 17:24:16 GMT-0500 (Central Daylight Time)                            
CREATE_IN_PROGRESS UserPoolClientLogPolicy AWS::IAM::Policy Thu Aug 04 2022 17:24:17 GMT-0500 (Central Daylight Time) Resource creation Initiated
⠦ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE PolicyAPIGWamplifytoolkitauth                                 AWS::IAM::Policy           Thu Aug 04 2022 17:24:22 GMT-0500 (Central Daylight Time) 
CREATE_COMPLETE amplify-awstoolkit-dev-144721-apiamplifytoolkit-14CWCOFZBK6FR AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:24 GMT-0500 (Central Daylight Time) 
⠏ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE    UserPoolClientLogPolicy AWS::IAM::Policy      Thu Aug 04 2022 17:24:30 GMT-0500 (Central Daylight Time) 
CREATE_IN_PROGRESS UserPoolClientInputs    Custom::LambdaCallout Thu Aug 04 2022 17:24:33 GMT-0500 (Central Daylight Time) 
⠇ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE    apiamplifytoolkit   AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:35 GMT-0500 (Central Daylight Time)                            
CREATE_IN_PROGRESS APIGatewayAuthStack AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:36 GMT-0500 (Central Daylight Time)                            
CREATE_IN_PROGRESS APIGatewayAuthStack AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:37 GMT-0500 (Central Daylight Time) Resource creation Initiated
⠙ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS amplify-awstoolkit-dev-144721-APIGatewayAuthStack-1GRMIMHP8N1IA AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:37 GMT-0500 (Central Daylight Time) User Initiated
⠼ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS UserPoolClientInputs Custom::LambdaCallout      Thu Aug 04 2022 17:24:36 GMT-0500 (Central Daylight Time) Resource creation Initiated
CREATE_COMPLETE    UserPoolClientInputs Custom::LambdaCallout      Thu Aug 04 2022 17:24:36 GMT-0500 (Central Daylight Time)                            
CREATE_IN_PROGRESS IdentityPool         AWS::Cognito::IdentityPool Thu Aug 04 2022 17:24:39 GMT-0500 (Central Daylight Time)                            
⠹ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS IdentityPool AWS::Cognito::IdentityPool Thu Aug 04 2022 17:24:40 GMT-0500 (Central Daylight Time) Resource creation Initiated
⠼ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS PolicyAPIGWAuth1 AWS::IAM::ManagedPolicy Thu Aug 04 2022 17:24:40 GMT-0500 (Central Daylight Time)                            
CREATE_IN_PROGRESS PolicyAPIGWAuth1 AWS::IAM::ManagedPolicy Thu Aug 04 2022 17:24:41 GMT-0500 (Central Daylight Time) Resource creation Initiated
⠧ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE    IdentityPool        AWS::Cognito::IdentityPool               Thu Aug 04 2022 17:24:41 GMT-0500 (Central Daylight Time) 
CREATE_IN_PROGRESS IdentityPoolRoleMap AWS::Cognito::IdentityPoolRoleAttachment Thu Aug 04 2022 17:24:44 GMT-0500 (Central Daylight Time) 
⠼ Updating resources in the cloud. This may take a few minutes...

CREATE_IN_PROGRESS IdentityPoolRoleMap AWS::Cognito::IdentityPoolRoleAttachment Thu Aug 04 2022 17:24:45 GMT-0500 (Central Daylight Time) Resource creation Initiated
CREATE_COMPLETE    IdentityPoolRoleMap AWS::Cognito::IdentityPoolRoleAttachment Thu Aug 04 2022 17:24:45 GMT-0500 (Central Daylight Time)                            
⠼ Updating resources in the cloud. This may take a few minutes...

CREATE_FAILED amplify-awstoolkit-dev-144721-authawstoolkitd5af8046d5af8046-1DEC82VDPZYAH AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:46 GMT-0500 (Central Daylight Time) The following resource(s) failed to create: [MFALambdaInputs]. 
⠴ Updating resources in the cloud. This may take a few minutes...

CREATE_FAILED               authawstoolkitd5af8046d5af8046 AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:52 GMT-0500 (Central Daylight Time) Embedded stack arn:aws:cloudformation:us-east-2:903348424385:stack/amplify-awstoolkit-dev-144721-authawstoolkitd5af8046d5af8046-1DEC82VDPZYAH/fea31b60-1443-11ed-991f-02777b302cd0 was not successfully created: The following resource(s) failed to create: [MFALambdaInputs]. 
CREATE_FAILED               APIGatewayAuthStack            AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:52 GMT-0500 (Central Daylight Time) Resource creation cancelled                                                                                                                                                                                                                                                     
UPDATE_ROLLBACK_IN_PROGRESS amplify-awstoolkit-dev-144721  AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:53 GMT-0500 (Central Daylight Time) The following resource(s) failed to create: [APIGatewayAuthStack, authawstoolkitd5af8046d5af8046].                                                                                                                                                                              
⠏ Updating resources in the cloud. This may take a few minutes...

CREATE_COMPLETE PolicyAPIGWAuth1 AWS::IAM::ManagedPolicy Thu Aug 04 2022 17:24:54 GMT-0500 (Central Daylight Time) 
⠧ Updating resources in the cloud. This may take a few minutes...

UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS amplify-awstoolkit-dev-144721 AWS::CloudFormation::Stack Thu Aug 04 2022 17:24:59 GMT-0500 (Central Daylight Time) 
⠴ Updating resources in the cloud. This may take a few minutes...

Looking at the CloudWatch logs gives:

{
    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: 2022/08/04/[$LATEST]a7e9081734a84db0805df63d83ac7d7c",
    "PhysicalResourceId": "2022/08/04/[$LATEST]a7e9081734a84db0805df63d83ac7d7c",
    "StackId": "arn:aws:cloudformation:us-east-2:903348424385:stack/amplify-awstoolkit-dev-144721-authawstoolkitd5af8046d5af8046-1DEC82VDPZYAH/fea31b60-1443-11ed-991f-02777b302cd0",
    "RequestId": "66da938d-7b43-4aaf-9986-90d382a220aa",
    "LogicalResourceId": "MFALambdaInputs",
    "NoEcho": false,
    "Data": {
        "err": {
            "message": "User: arn:aws:sts::903348424385:assumed-role/awstood5af8046_totp_lambda_role-dev/amplify-awstoolkit-dev-144721-authawstoo-MFALambda-cf6AYpRMG8fi is not authorized to perform: iam:PassRole on resource: arn:aws:iam::903348424385:role/snsd5af8046144721-dev because no identity-based policy allows the iam:PassRole action",
            "code": "AccessDeniedException",
            "time": "2022-08-04T22:24:09.016Z",
            "requestId": "89d93273-8749-47f0-8409-f46aec833856",
            "statusCode": 400,
            "retryable": false,
            "retryDelay": 26.809572796156967
        }
    }
}

The account that I'm running amplify as has administrator permissions, and I tried adding : to your lambda definition as below, but it didn't make a difference:

"lambdaexecutionpolicy": {
      "DependsOn": [
        "LambdaExecutionRole"
      ],
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "lambda-execution-policy",
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": {
                "Fn::Sub": [
                  "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
                  {
                    "region": {
                      "Ref": "AWS::Region"
                    },
                    "account": {
                      "Ref": "AWS::AccountId"
                    },
                    "lambda": {
                      "Ref": "LambdaFunction"
                    }
                  }
                ]
              }
            },
            {
              "Effect": "Allow",
              "Action": [
                "*",
                "iot:AttachPolicy",
                "cognito-idp:AdminUpdateUserAttributes",
                "cognito-idp:ListUsers"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    }

Any idea what I'm doing wrong?

[matwerber1]

Hi @Radagan ,

Above, you're referencing the custom Lambda I wrote for the IoT-related component:

• aws-amplify-react-toolkit/amplify/backend/function/addIotPolicyToFederatedUser/addIotPolicyToFederatedUser-cloudformation-template.json

  Line 157 in d06003c

  "iot:AttachPolicy",

But the error is coming from a Lambda function created by the AWS Amplify CLI as part of the CLI's built-in Auth module. Specifically, looks like something that helps support Cognito's MFA capability.

Per aws-amplify/amplify-cli#8363 (comment), it sounds like the latest version of the Amplify CLI requires an additional permission that was not needed, nor defined, by the Amplify CLI at the time I first made this project.

Looks like you just need to add the policy statement below to this policy in the Auth template:

        - PolicyName: awstood5af8046_sns_pass_role_policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'iam:PassRole'
                Resource: !GetAtt SNSRole.Arn

I haven't tested any of this, but pretty sure this is what you're looking for.

Let me know if it helps?