Amplify-cli: IAM profile permissions

Would be great to get a list of this, rather then creating a user with full administrative access, would be great to pick and choose what we need based on the services we require

Would be nice to see a breakdown of exactly what permissions are needed, as full administrative access isn't feasible in some scenarios.

Let's just get it going. The following permissions were necessary for the amplify init initialization step which creates a CloudFormation stack.

• CloudFormation:
  
  
  
  • cloudformation:CreateStack - there is no AWS Managed policy for CloudFormation write permissions (only ReadOnly for CloudFormation).
  
  
  • So, I had to create a custom policy CloudFormationWritePermissions, chose CloudFormation as a service and picked the permissions from "write" section.
  
  
  • In addition to that I had to attach the AWS Managed AWSCloudFormationReadOnlyAccess otherwise the CLI succeeds to send a create stack request, but then fails to get the stack status saying AccessDenied: Resource is not in the state stackCreateComplete.
  
  
• IAM:
  
  
  
  • iam:GetRole
  
  
  • iam:CreateRole - added AWS Managed IAMFullAccess policy.
  
  
• S3:
  
  
  
  • s3:CreateBucket - added AWS Managed AmazonS3FullAccess policy.
  
  

One thing that could have been improved is that instead of giving the full access to certain services, we could have given a limited permissions by selecting the exact APIs necessary for the CLI. But I didn't bother microoptimizing at this point.

Finally I see:

$ amplify init
Note: It is recommended to run this command from the root of your app directory
? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building ios
Using default provider awscloudformation

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use my-profile
⠧ Initializing project in the cloud...

CREATE_COMPLETE AuthRole               AWS::IAM::Role             Sun Nov 25 2018 12:53:06 GMT-0800 (PST)
CREATE_COMPLETE UnauthRole             AWS::IAM::Role             Sun Nov 25 2018 12:53:06 GMT-0800 (PST)
CREATE_COMPLETE DeploymentBucket       AWS::S3::Bucket            Sun Nov 25 2018 12:53:09 GMT-0800 (PST)
CREATE_COMPLETE service-20181125125256 AWS::CloudFormation::Stack Sun Nov 25 2018 12:53:12 GMT-0800 (PST)
✔ Successfully created initial AWS cloud resources for deployments.

Your project has been successfully initialized and connected to the cloud!

Some next steps:
"amplify status" will show you what you've added already and if it's locally configured or deployed
"amplify <category> add" will allow you to add features like user login or a backend API
"amplify push" will build all your local backend resources and provision it in the cloud
"amplify publish" will build all your local backend and frontend resources (if you have hosting category added) and provision it in the cloud

Pro tip:
Try "amplify add api" to create a backend API and then "amplify publish" to deploy everything

If you decide to add Amazon Cognito based Auth provider by amplify add auth, then the following permissions are required before you do amplify push:

• Cognito:
  
  
  
  • cognito-idp:CreateUserPool - added AWS Managed AmazonCognitoPowerUser policy which provides full access to the service.
  
  
• Lambda:
  
  
  
  • lambda:CreateFunction - added AWS Managed AWSLambdaFullAccess policy.
  
  

If you want to add GraphQL based API provider by amplify add api, then the following permissions are required before you do amplify push.

• AppSync:
  
  
  
  • appsync:CreateGraphqlApi - added AWS Managed AWSAppSyncAdministrator policy with full access.
  
  

AWS IAM > User - Add user > .. > Create policy: select JSON table then Copy&Paste

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:EstimateTemplateCost",
                "cloudformation:CreateStack",
                "cloudformation:List*",
                "cloudformation:ValidateTemplate",
                "cloudformation:Get*",
                "cloudformation:Describe*",
                "iam:GetRole",
                "iam:CreateRole",
                "s3:CreateBucket"
            ],
            "Resource": "*"
        }
    ]
}

Closing this issue, since this is a duplicate and we're tracking this in #351.

Cool. Thanks.

I’m using Amplify purely for it’s auth features, and even then only to authenticate existing users (sign in, sign out, forgot password, create password). It seems like overkill to grant admin privileges when I’m using such a small portion of the toolset. And as the front-end developer, I don’t have those privileges anyway.

IAM policy can be restricted for just the categories and features that you use as documented here: https://aws-amplify.github.io/docs/cli-toolchain/usage#iam-policy-for-the-cli

Additionally you can use MFA with short term IAM credentials: https://aws-amplify.github.io/docs/cli-toolchain/usage#iam-roles--mfa