User: XXX because no identity-based policy allows the cognito-idp:GetGroup action #13980

GenGraphic · 2024-10-18T11:40:39Z

Environment information

0 verbose cli C:\Program Files\nodejs\node.exe C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js
1 info using [email protected]
2 info using [email protected]
3 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\npmrc
4 silly config load:file:F:\Projects\pensionflow\.npmrc
5 silly config load:file:C:\Users\Eduardo\.npmrc
6 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\etc\npmrc
7 verbose title npm exec ampx info
8 verbose argv "exec" "--" "ampx" "info"
9 verbose logfile logs-max:10 dir:C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-
10 verbose logfile C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly logfile done cleaning log files
13 silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
14 http fetch GET 200 https://registry.npmjs.org/ampx 775ms (cache miss)
15 verbose stack Error: could not determine executable to run
15 verbose stack     at getBinFromManifest (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\get-bin-from-manifest.js:17:23)
15 verbose stack     at exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\index.js:202:15)
15 verbose stack     at async Npm.exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\npm.js:207:9)
15 verbose stack     at async module.exports (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\cli\entry.js:74:5)
16 verbose pkgid [email protected]
17 error could not determine executable to run
18 verbose cwd F:\Projects\pensionflow
19 verbose os Windows_NT 10.0.22631
20 verbose node v20.17.0
21 verbose npm  v10.8.3
22 verbose exit 1
23 verbose code 1
24 error A complete log of this run can be found in: C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log

Describe the bug

I created a new env and i tried to push the backend to it. Resulting in the following error: Resource handler returned message: "User: arn:aws:sts::XXXXX:assumed-role/eu-central-1_K3YXJVKQN_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:XXXXX:userpool/eu-central-1_He0G2wrhm because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: abfcf153-b16b-44a8-85a7-84ead72265a6)" (RequestToken: 6b86c0b7-4b2a-ce88-1139-b91d18ccd86c, HandlerErrorCode: GeneralServiceException)

Reproduction steps

amplify push

The text was updated successfully, but these errors were encountered:

ykethan · 2024-10-18T14:01:38Z

thanks for raising this! I'm going to transfer this over to our CLI repository as this appears to be Gen 1 CLI issue.

ykethan · 2024-10-18T14:15:55Z

Hey @GenGraphic, thank you for reaching out. It appears the eu-central-1_K3YXJVKQN_Full-access role is trying to perform a GetGroup on a Cognito userpool resource. To mitigate the issue, you should be able to add the cognito-idp:GetGroup as an inline policy on the eu-central-1_K3YXJVKQN_Full-access role in the AWS IAM console.

GenGraphic · 2024-10-19T05:52:52Z

Hi @ykethan. Thank you for the fast reply, this is much appreciated. what we are trying to do is to duplicate our production env, and use it as development env. I created the new env and i get this error while trying to push the backend to the new created env. So a new user pool is created (along with functions, Tables, S3), and trying to get and create a new AdminsGroup (like we have on our prod env). So adding an inline policy is the fisrt thing i tried, but i cant give it the right Resource, since the i don't know the new user pool ARN because it doesn't exist yet. Tank you!

ykethan · 2024-10-21T20:51:18Z

@GenGraphic since the new resource name would contain a random hash value, adding the inline policy may not be idea.
but you could try adding the cognito-idp:GetGroup action similar to the managed policy for Amplify.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess-Amplify.html

GenGraphic · 2024-10-23T07:18:49Z

@ykethan Thanks for your Replay. I already gave the role Administrator policy, this means the role should have full access. I managed to solve the problem by adding the cognito-idp:GetGroup and cognito-idp:AddGroup to all resources (this included also the future ones) and the new env got successfully created.

github-actions · 2024-10-23T07:19:18Z

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

GenGraphic added the pending-triage Issue is pending triage label Oct 18, 2024

ykethan transferred this issue from aws-amplify/amplify-backend Oct 18, 2024

ykethan added multienv Issues tied to multiple environment feature in the CLI pending-response Issue is pending response from the issue author labels Oct 18, 2024

github-actions bot removed the pending-response Issue is pending response from the issue author label Oct 19, 2024

ykethan added the pending-response Issue is pending response from the issue author label Oct 21, 2024

GenGraphic closed this as completed Oct 23, 2024

github-actions bot removed the pending-response Issue is pending response from the issue author label Oct 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User: XXX because no identity-based policy allows the cognito-idp:GetGroup action #13980

User: XXX because no identity-based policy allows the cognito-idp:GetGroup action #13980

GenGraphic commented Oct 18, 2024

ykethan commented Oct 18, 2024

ykethan commented Oct 18, 2024

GenGraphic commented Oct 19, 2024

ykethan commented Oct 21, 2024

GenGraphic commented Oct 23, 2024

github-actions bot commented Oct 23, 2024