Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AccessDeniedError: Unable to get backend outputs due to insufficient permissions #2321

Closed
chrisl777 opened this issue Dec 12, 2024 · 8 comments
Labels
console-builds Issues related to Amplify console builds pending-triage Incoming issues that need categorization

Comments

@chrisl777
Copy link

Environment information

System:
  OS: macOS 15.1.1
  CPU: (14) arm64 Apple M3 Max
  Memory: 142.81 MB / 36.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 20.18.1 - ~/.asdf/installs/nodejs/20.18.1/bin/node
  Yarn: 1.22.22 - ~/.asdf/shims/yarn
  npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.5.1
  @aws-amplify/backend: 1.9.0
  @aws-amplify/backend-auth: 1.4.2
  @aws-amplify/backend-cli: 1.4.3
  @aws-amplify/backend-data: 1.2.2
  @aws-amplify/backend-deployer: 1.1.11
  @aws-amplify/backend-function: 1.9.0
  @aws-amplify/backend-output-schemas: 1.4.0
  @aws-amplify/backend-output-storage: 1.1.4
  @aws-amplify/backend-secret: 1.1.5
  @aws-amplify/backend-storage: 1.2.4
  @aws-amplify/cli-core: 1.2.1
  @aws-amplify/client-config: 1.5.3
  @aws-amplify/deployed-backend-client: 1.4.2
  @aws-amplify/form-generator: 1.0.3
  @aws-amplify/model-generator: 1.0.9
  @aws-amplify/platform-core: 1.3.0
  @aws-amplify/plugin-types: 1.6.0
  @aws-amplify/sandbox: 1.2.7
  @aws-amplify/schema-generator: 1.2.6
  aws-amplify: 6.8.2
  aws-cdk: 2.172.0
  aws-cdk-lib: 2.172.0
  typescript: 5.6.3
No AWS environment variables
No CDK environment variables

Describe the bug

Using this command in my amplify.yml:

npx ampx generate outputs --branch $AWS_BRANCH --app-id $AWS_APP_ID

In my frontend app build, it is failing with this error:

2024-12-12T05:50:57.672Z [INFO]: AccessDeniedError: Unable to get backend outputs due to insufficient permissions.
Resolution: Ensure you have permissions to call cloudformation:GetTemplateSummary.

Reproduction steps

  • Monorepo setup with Turborepo
  • Backend is under packages/backend, frontend app is under apps/dashboard-app
  • In the Amplify console, the frontend is a separate app from the backend.

The amplify.yml:

version: 1
applications:
  - appRoot: packages/backend
    backend:
      phases:
        preBuild: 
          commands: [
            'echo BACKEND PREBUILD',
            'echo Node Version',
            'node -v',
            'nvm install 20',
            'nvm use 20',
            'echo Node Version',
            'node -v',
            'echo Yarn Version',
            'yarn -v'
          ]
        build:
          commands: [
            'echo BACKEND BUILD',
            'pwd',
            'yarn install --frozen-lockfile --cache-folder ~/.cache/yarn',
            'npx ampx pipeline-deploy --branch $AWS_BRANCH --app-id $AWS_APP_ID'
          ]
      cache: 
        paths: 
          - '~/.cache/yarn'
    frontend:
      phases:
          preBuild:
              commands: [
                'yarn install'
              ]
          build:
              commands: [
                'npx turbo run build --filter=@tabbiapp/backend'
              ]
      artifacts:
          baseDirectory: dist
          files:
              - '**/*'
      cache:
          paths:
              - 'packages/backend/node_modules/**/*'
      buildPath: packages/backend
  - appRoot: apps/dashboard-app
    backend: 
      phases: 
        build: 
          commands: [
            'echo BACKEND BUILD OUTPUTS FOR DASHBOARD APP',
            'echo BACKEND PREBUILD',
            'echo Node Version',
            'node -v',
            'nvm install 20',
            'nvm use 20',
            'echo Node Version',
            'node -v',
            'echo Yarn Version',
            'yarn -v',
            'pwd',
            'yarn install --frozen-lockfile --cache-folder ~/.cache/yarn',
            'npx ampx generate outputs --branch $AWS_BRANCH --app-id $AWS_APP_ID'
          ]
      cache: 
        paths: 
          - '~/.cache/yarn'
    frontend:
      phases:
        preBuild:
          commands:
            - echo FRONTEND PREBUILD DASHBOARD APP
            - echo Node Version 
            - node -v
            - nvm install 20 
            - nvm use 20 
            - echo Node Version
            - node -v 
            - ls -l 
            - echo Yarn Version 
            - yarn -v 
            - echo Turbo clean 
            - npx turbo run clean 
            - 'yarn install --frozen-lockfile --cache-folder ~/.cache/yarn'
        build:
          commands:
            - echo FRONTEND BUILD DASHBOARD APP
            - pwd 
            - ls -l 
            - ls -l src/
            - ls -l
            - echo Turbo Version 
            - npx turbo --version 
            - npx turbo run build --filter=dashboard-app
        postBuild: 
          commands: 
            - echo FRONTEND POSTBUILD DASHBOARD APP
            - ls -l dist 
            - ls -l
            - echo Build Done
      artifacts:
        # baseDirectory: /.next
        baseDirectory: /dist
        files:
          - '**/*'
      cache:
        paths:
          - node_modules/**/*
          - '~/.cache/yarn'
@chrisl777 chrisl777 added the pending-triage Incoming issues that need categorization label Dec 12, 2024
@ykethan ykethan added the console-builds Issues related to Amplify console builds label Dec 12, 2024
@ykethan
Copy link
Member

ykethan commented Dec 12, 2024

Hey @chrisl777, thank you for reaching. Does the service role added to the application have AmplifyBackendDeployFullAccess attached?
as the role should contain cloudformation:GetTemplateSummary.

@ykethan ykethan added the pending-response Issue is pending response from author label Dec 12, 2024
@chrisl777
Copy link
Author

@ykethan When I go to IAM > Access management > Roles, I actually don't see any roles created for the frontend app. I do however see them created for the backend app.

@github-actions github-actions bot removed the pending-response Issue is pending response from author label Dec 12, 2024
@ykethan
Copy link
Member

ykethan commented Dec 12, 2024

Hey @chrisl777, as the frontend end is deployed on a different app, a service role will need to attached to run
npx ampx generate outputs --branch <backend-app-branch> --app-id <backend-app-id>.

i was able to reproduce this, attaching the service role mitigated the issue.

@ykethan ykethan added the pending-response Issue is pending response from author label Dec 12, 2024
@chrisl777
Copy link
Author

chrisl777 commented Dec 12, 2024

@ykethan I'm not seeing it mentioned in the docs about attaching a service role, it would be a great addition!

https://docs.amplify.aws/react/deploy-and-host/fullstack-branching/monorepos/
or
https://docs.amplify.aws/react/deploy-and-host/fullstack-branching/mono-and-multi-repos/

How do I create that role in backend.ts with CDK, i.e. with new iam.Role(...) or new Policy(...)?

@github-actions github-actions bot removed the pending-response Issue is pending response from author label Dec 12, 2024
@chrisl777
Copy link
Author

For what it's worth, I was able to go to my frontend app, then App settings > General settings, and then Edit. I was able to select the same service role being used by the backend app. The build is now working!

image

@ykethan
Copy link
Member

ykethan commented Dec 12, 2024

Hey @chrisl777, manually creating the role should be fine as this can be reused in other apps as well.
and thank you for the feedback passing this to the team. I do agree adding it to the documentation would be great.
additionally, we are looking into optionally allowing creating a role on a frontend only applications. this is currently being tracked on #2222

@ykethan
Copy link
Member

ykethan commented Dec 13, 2024

Created a issue on the documentation repository to update the relevant docs pages.
aws-amplify/docs#8163

will close this issue as we are tracking this on aws-amplify/docs#8163 and #2222, do reach out if you require any additional assistance.

@ykethan ykethan closed this as not planned Won't fix, can't repro, duplicate, stale Dec 13, 2024
@chrisl777
Copy link
Author

@ykethan Excellent, thank you for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
console-builds Issues related to Amplify console builds pending-triage Incoming issues that need categorization
Projects
None yet
Development

No branches or pull requests

2 participants