Region us-east-1 Has IAM Role Issues

[bebopinbebop]

Environment information

npx is not working for me, so I just pasted the node versions I have:

Node v20.15.1
NPM v10.7.0

Description

I am testing out the AWS Plaid tutorial found here:
https://aws.amazon.com/blogs/apn/how-to-build-a-fintech-app-on-aws-using-the-plaid-api/

and I was able to create my change-set and everything to Amplify, but when I went to the Frontend URL, and saw that my SAM was not running.

I got to deploy it and I got this error in the Build Console:

2024-07-09T07:05:27.925Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
2024-07-09T07:05:28.107Z [INFO]: # Starting environment caching...
2024-07-09T07:05:28.107Z [INFO]: # Environment caching completed

After doing some research, I found this post that says solves the issue:
aws-amplify/amplify-hosting#828

Which they explained could be resolved by editing a service role for the Amplify instance:
https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html

Looking further down the Github post, you also see that someone was not able to make the Role policy they made work because the trust relationship must be defined in a specific way:
https://stackoverflow.com/questions/65287024/permission-problem-accessing-codecommit-repository-during-build-phase

A new Role was made called: AmplifyConsoleServiceRole-AmplifyRole
in my IAM with the two tags:

• FunID
• Type

I then also added the Role to the following policies:

• AdministratorAccess-Amplify
• AWSCodeCommitFullAccess
• AWSCodeCommitPowerUser

and I edited the Trust Relationship as:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"amplify.amazonaws.com",
"amplify.us-east-1.amazonaws.com",
"codecommit.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:amplify:us-east-1:<AWS_ID>:apps/*"
},
"StringEquals": {
"aws:SourceAccount": "<AWS_ID>"
}
}
}
]
}

where <AWS_ID> is my AWS number.

Looking at the blogs like the ones above and this here:
https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07

It seems that the region I'm in is the problem or I am not properly defining the Trust Relationship for the Service Role.

Forgive the noob Github post, I'm new to asking for help.

Thanks

[Jay2113]

Hi @bebopinbebop 👋 , thanks for reaching out and providing detailed information. Based on the error message from the build logs, the root cause appears to be either of the following:

• The service role is not attached to the app, which is required to deploy backend resources in your account.
• Amplify's build process assumes the service role on the app, and it's likely that the trust policy on the service role is defined inaccurately.

Could you verify the following?

• Ensure that a service role is attached to the app (with the AdministratorAccess-Amplify IAM policy).
• Use a trust relationship without the condition attribute:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "amplify.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

[bebopinbebop]

Hey Jay! Thanks for taking the time to answer me, didn't think it would be that quick.

Okay so I think I got the Role attached for service roles here, which is what I did before:

and my trust relationship already included the parameters you laid out, I just added more because I was not sure if I was covering all my bases:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "amplify.us-east-1.amazonaws.com", "amplify.amazonaws.com", "codecommit.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "<AWS_ID>" }, "ArnLike": { "aws:SourceArn": "arn:aws:amplify:us-east-1:<AWS_ID>:apps/*" } } } ] }

I did try copying and entering what you gave me and it did not work, unfortunately.

The only thing I can think of is either I'm blind to AWS Roles or I'm missing a setting for us-east-1.

What would you suggest?

[bebopinbebop]

Alright, I really need help here, cause I feel like I've exhausted all of my ability.

I created a new user (user_bob) and gave them the following Permission Policies:

1. AdministartorAccess
2. AdministartorAccess-Amplify
3. AWSCodeCommitFullAccess
4. AWSCodeCommitPowerUser

I also added a Tag of "Type":"FunID", as explained in the Stack Overflow here: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07

Then I edited the Service Role "AmplifyConsoleServiceRole-AmplifyRole" to include:

1. AdministratorAccess-Amplify
2. AWSCodeCommitFullAccess
3. AWSCodeCommitPowerUser

The Service Role was given the trust relationship of:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "amplify.amazonaws.com",
                    "amplify.us-east-1.amazonaws.com"
                ],
                "AWS": "arn:aws:iam::<AWS_ID>:user/user_bob"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I explicitly added the user's ARN so that it was a direct relationship to remove ambiguity.

Then I attached the Service Role to my Amplify app, as proof in the image:

After that, I logged into the AWS console using user_bob credentials and tried running the app in Amplify, to no success.
I keep getting:

2024-07-13T02:16:15.149Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
2024-07-13T02:16:15.241Z [INFO]: # Starting environment caching...
2024-07-13T02:16:15.241Z [INFO]: # Environment caching completed

I think there is some very specific setting I am missing or there is a service error.

Please help, I'm lost.

[Jay2113]

Hi @bebopinbebop, thanks for sharing the additional details. To expedite the troubleshooting process, I can jump on a call with you to have a screen sharing session to debug this error. Can you share your availability via a DM on our community discord server?. My username is Jay Raval.

[bebopinbebop]

Okay thanks! Just added you

[Jay2113]

To summarize our discussion, the root cause of the deployment failures appeared to be the following:

• Although the GitHub app was installed, it did not have access to the repository.
• The source code for the app was nested under a frontend folder, which contained an amplify.yml file as the build specification. We needed to update this file by adding the appropriate applications and appRoot configurations.

[bebopinbebop]

Yeah, I have it working properly now, thanks to you!

So what we did, for those reading up on this chain, is that instead of following the push instructions from the repo (https://github.com/aws-samples/aws-plaid-demo-app) where it would create a data set and then construct the Amplify backend, we just created a new project in Amplify and then took the fork that I had in my repo.

From there, we made it a monorepo and it was able to deploy, but only after ensuring that my Git was properly synced to Amplify.

The major thing that fixed this was that the project repo was from 2022, but with the updates for SAM and Amplify, rebuilding this project in Amplify V2 has worked out the issues.

That and modifying the amplify.yml file to look like this:

applications:
  - appRoot: frontend
    frontend:
      phases:
        preBuild:
          commands:
            - npm ci --no-fund --no-audit
        build:
          commands:
            - REACT_APP_BACKEND_URL=${REACT_APP_BACKEND_URL}
            - REACT_APP_COGNITO_DOMAIN=${REACT_APP_COGNITO_DOMAIN}
            - REACT_APP_COGNTIO_USERPOOL_ID=${REACT_APP_COGNTIO_USERPOOL_ID}
            - REACT_APP_COGNITO_CLIENT_ID=${REACT_APP_COGNITO_CLIENT_ID}
            - REACT_APP_GRAPHQL_URL=${REACT_APP_GRAPHQL_URL}
            - REACT_APP_REGION=${REACT_APP_REGION}
            - npm run-script build
      artifacts:
        baseDirectory: build
        files:
          - "**/*"
      cache:
        paths:
          - "node_modules/**/*"

Last but not least during the SAM build process, my previous deployment created a Secret in my Secret Manager that when after re-deploying the code under a new build process, it was holding back the new deployment. That's because the code was autogenerating a Secret that "already existed" under a previous build.

To fix that, you have to change the name of the Credential variable from:

Name: !Sub "plaid/${PlaidEnvironment}/credentials"

to something else so that the Secret Manager can save it. Since it taked 7 ays to delete a secret, it's better to create a new one and schedule the old one for the 7 day deletion.

I just renamed it to something else like:

Name: !Sub "plaid/${PlaidEnvironment}/credentials2

I got the app to work:

https://main.d18w63q7xv2gzh.amplifyapp.com

[Jay2113]

@bebopinbebop It's great to hear that your Amplify app has been deployed successfully! Thank you for sharing the detailed steps you followed to implement the Plaid demo app. These steps can be helpful for other developers or community members. I will now close this thread.