Amplify-cli: amplify push fails after adding new function
Describe the bug
After running amplify add function ,and adding permissions for auth and api, when I run amplify push I get the following error:
Resource Name: CustomLambdaFunction-sfm2sj7uxzeinds73omh5lu4ci (AWS::IAM::Role)
Event Type: create
Reason: Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3fcf3bf7-0d51-4b4b-b9e4-99830f4c9a08)
Here's the Cloudformation file:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function resource stack creation using Amplify CLI",
"Parameters": {
"CloudWatchRule": {
"Type": "String",
"Default": "NONE",
"Description": " Schedule Expression"
},
"env": {
"Type": "String"
},
"authmyAppAuthUserPoolId": {
"Type": "String",
"Default": "authmyAppAuthUserPoolId"
},
"apimyAppGraphQLAPIIdOutput": {
"Type": "String",
"Default": "apimyAppGraphQLAPIIdOutput"
},
"apimyAppGraphQLAPIEndpointOutput": {
"Type": "String",
"Default": "apimyAppGraphQLAPIEndpointOutput"
}
},
"Conditions": {
"ShouldNotCreateEnvResources": {
"Fn::Equals": [
{
"Ref": "env"
},
"NONE"
]
}
},
"Resources": {
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Metadata": {
"aws:asset:path": "./src",
"aws:asset:property": "Code"
},
"Properties": {
"Handler": "index.handler",
"FunctionName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"CustomLambdaFunctionCustom",
{
"Fn::Join": [
"",
[
"CustomLambdaFunctionCustom",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"Environment": {
"Variables": {
"ENV": {
"Ref": "env"
},
"REGION": {
"Ref": "AWS::Region"
},
"AUTH_myAppAUTH_USERPOOLID": {
"Ref": "authmyAppAuthUserPoolId"
},
"API_myApp_GRAPHQLAPIIDOUTPUT": {
"Ref": "apimyAppGraphQLAPIIdOutput"
},
"API_myApp_GRAPHQLAPIENDPOINTOUTPUT": {
"Ref": "apimyAppGraphQLAPIEndpointOutput"
}
}
},
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"Runtime": "nodejs12.x",
"Layers": [],
"Timeout": "25",
"Code": {
"S3Bucket": "amplify-myApp-stag-131810-deployment",
"S3Key": "amplify-builds/CustomLambdaFunctionCustom-366e7661746c6d325765-build.zip"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"myAppLambdaRole1064e612",
{
"Fn::Join": [
"",
[
"myAppLambdaRole1064e612",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
},
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
},
"AmplifyResourcesPolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "amplify-lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:ConfirmSignUp",
"cognito-idp:AdminCreateUser",
"cognito-idp:CreateUserImportJob",
"cognito-idp:AdminSetUserSettings",
"cognito-idp:AdminLinkProviderForUser",
"cognito-idp:CreateIdentityProvider",
"cognito-idp:AdminConfirmSignUp",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:SetUserMFAPreference",
"cognito-idp:SetUICustomization",
"cognito-idp:SignUp",
"cognito-idp:VerifyUserAttribute",
"cognito-idp:SetRiskConfiguration",
"cognito-idp:StartUserImportJob",
"cognito-idp:AdminSetUserPassword",
"cognito-idp:AssociateSoftwareToken",
"cognito-idp:CreateResourceServer",
"cognito-idp:RespondToAuthChallenge",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:AdminUserGlobalSignOut",
"cognito-idp:GlobalSignOut",
"cognito-idp:AddCustomAttributes",
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPool",
"cognito-idp:AdminForgetDevice",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminRespondToAuthChallenge",
"cognito-idp:ForgetDevice",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminUpdateDeviceStatus",
"cognito-idp:StopUserImportJob",
"cognito-idp:InitiateAuth",
"cognito-idp:AdminInitiateAuth",
"cognito-idp:AdminSetUserMFAPreference",
"cognito-idp:ConfirmForgotPassword",
"cognito-idp:SetUserSettings",
"cognito-idp:VerifySoftwareToken",
"cognito-idp:AdminDisableProviderForUser",
"cognito-idp:SetUserPoolMfaConfig",
"cognito-idp:ChangePassword",
"cognito-idp:ConfirmDevice",
"cognito-idp:AdminResetUserPassword",
"cognito-idp:ResendConfirmationCode",
"cognito-identity:Describe*",
"cognito-identity:Get*",
"cognito-identity:List*",
"cognito-idp:Describe*",
"cognito-idp:AdminGetDevice",
"cognito-idp:AdminGetUser",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:List*",
"iam:ListOpenIdConnectProviders",
"iam:ListRoles",
"sns:ListPlatformApplications",
"cognito-idp:ForgotPassword",
"cognito-idp:UpdateAuthEventFeedback",
"cognito-idp:UpdateResourceServer",
"cognito-idp:UpdateUserPoolClient",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:UpdateUserAttributes",
"cognito-idp:UpdateUserPoolDomain",
"cognito-idp:UpdateIdentityProvider",
"cognito-idp:UpdateGroup",
"cognito-idp:AdminUpdateAuthEventFeedback",
"cognito-idp:UpdateDeviceStatus",
"cognito-idp:UpdateUserPool",
"cognito-idp:DeleteUserPoolDomain",
"cognito-idp:DeleteResourceServer",
"cognito-idp:DeleteGroup",
"cognito-idp:AdminDeleteUserAttributes",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DeleteUserAttributes",
"cognito-idp:DeleteUserPool",
"cognito-idp:AdminDeleteUser",
"cognito-idp:DeleteIdentityProvider",
"cognito-idp:DeleteUser"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:cognito-idp:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":userpool/",
{
"Ref": "authmyAppAuthUserPoolId"
}
]
]
}
]
},
{
"Effect": "Allow",
"Action": [
"appsync:Create*",
"appsync:StartSchemaCreation",
"appsync:GraphQL",
"appsync:Get*",
"appsync:List*",
"appsync:Update*",
"appsync:Delete*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:appsync:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":apis/",
{
"Ref": "apimyAppGraphQLAPIIdOutput"
},
"/*"
]
]
}
]
}
]
}
}
}
},
"Outputs": {
"Name": {
"Value": {
"Ref": "LambdaFunction"
}
},
"Arn": {
"Value": {
"Fn::GetAtt": [
"LambdaFunction",
"Arn"
]
}
},
"Region": {
"Value": {
"Ref": "AWS::Region"
}
},
"LambdaExecutionRole": {
"Value": {
"Ref": "LambdaExecutionRole"
}
}
}
}
Amplify CLI Version
4.24.0
To Reproduce
See Describe the bug
Expected behavior
Being able to add the function, and push.
Desktop (please complete the following information):
- OS : Mac
- Node Version. 10.16.0
VicFrolov
All 8 comments
Hi @VicFrolov did you make any manual changes to the cloudformation template for functions?
nikhname
on 21 Jul 2020
Hi @nikhname I did not. I actually scrapped this environment, created a new one off of production. I Did the exact same steps, except this time I didn't add any access (no api or auth, no layers, no schedule), and same issue. Now I am getting An error occurred during the push operation: Resource is not in the state stackUpdateComplete. If I dig through the logs, I do see the malformedPolicyDocument error again:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 04ef5f02-061e-45e5-8b84-410946efdc2d)
The output of this new cloudformation doc (that I did not edit):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function resource stack creation using Amplify CLI",
"Parameters": {
"CloudWatchRule": {
"Type": "String",
"Default": "NONE",
"Description": " Schedule Expression"
},
"env": {
"Type": "String"
}
},
"Conditions": {
"ShouldNotCreateEnvResources": {
"Fn::Equals": [
{
"Ref": "env"
},
"NONE"
]
}
},
"Resources": {
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Metadata": {
"aws:asset:path": "./src",
"aws:asset:property": "Code"
},
"Properties": {
"Handler": "index.handler",
"FunctionName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"myFunction",
{
"Fn::Join": [
"",
[
"myFunction",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"Environment": {
"Variables": {
"ENV": {
"Ref": "env"
},
"REGION": {
"Ref": "AWS::Region"
}
}
},
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"Runtime": "nodejs12.x",
"Layers": [],
"Timeout": "25",
"Code": {
"S3Bucket": "amplify-myApp-devtwo-161407-deployment",
"S3Key": "amplify-builds/myFunction-5336675832576f706568-build.zip"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
"myAppLambdaRole3a403ae8",
{
"Fn::Join": [
"",
[
"myAppLambdaRole3a403ae8",
"-",
{
"Ref": "env"
}
]
]
}
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
},
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
}
},
"Outputs": {
"Name": {
"Value": {
"Ref": "LambdaFunction"
}
},
"Arn": {
"Value": {
"Fn::GetAtt": [
"LambdaFunction",
"Arn"
]
}
},
"Region": {
"Value": {
"Ref": "AWS::Region"
}
},
"LambdaExecutionRole": {
"Value": {
"Ref": "LambdaExecutionRole"
}
}
}
}
I'm unfortunately blocked, as even a new environment is causing this issue.
I should also note that after I ran amplify env checkout {new-env-name}, I was able to run amplify push, so this error only occurred after adding a function via the CLI.
VicFrolov
on 21 Jul 2020
Hey,
I have exactly the same problem with v4.26.0. I already had one function. And I added an other one. (so far all good.) After that I added some access with amplify function update to the old function so it can invoke the new function.
Previously I had this for the old function with some S3 and DynamoDB access already:
backend-config.json:
"function": {
"ccfunctionuploads": {
"build": true,
"providerPlugin": "awscloudformation",
"service": "Lambda",
"dependsOn": [
{
"category": "storage",
"resourceName": "ccdbuploads",
"attributes": [
"Name",
"Arn"
],
"attributeEnvMap": {
"Name": "TABLE_NAME",
"Arn": "TABLE_ARN"
}
},
{
"category": "storage",
"resourceName": "ccs3",
"attributes": [
"BucketName"
]
}
]
},
After adding the new access:
"function": {
"ccfunctionuploads": {
"build": true,
"providerPlugin": "awscloudformation",
"service": "Lambda",
"dependsOn": [
{
"category": "storage",
"resourceName": "ccs3",
"attributes": [
"BucketName"
]
},
{
"category": "function",
"resourceName": "ccfunctionbackground",
"attributes": [
"Name"
]
}
]
},
The error message I received was this:
Resource storageccdbuploadsArn must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
It looks like it removed the ccdbuploads resource. So I thought I add it back. Added it back but the same problem.
After checked the Resource configuration in the cloudformation template of the old function, I can see it added the policy here:
{
"Effect": "Allow",
"Action": [
"lambda:Create*",
"lambda:Put*",
"lambda:Add*",
"lambda:Get*",
"lambda:List*",
"lambda:Invoke*",
"lambda:Update*",
"lambda:Delete*",
"lambda:Remove*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":function:",
{
"Ref": "functionccfunctionbackgroundName"
}
]
]
}
]
}
So I decided and added the exact ARN to Resource just to try it out but still the same issue.
Here is the mentioned lambdaexecutionpolicy:
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
{
"Ref": "storageccdbuploadsArn"
},
{
"Fn::Join": [
"/",
[
{
"Ref": "storageccdbuploadsArn"
},
"index/*"
]
]
}
]
}
]
}
}
},
Any help would be appreciated.
z
zoell
on 2 Aug 2020
I'm having the same issue with 4.29.1
Here's the amplify command I ran
➜ client-webapp git:(redesign) ✗ amplify function update
Scanning for plugins...
Plugin scan successful
? Select which capability you want to update: Lambda function (serverless function)
? Select the Lambda function you want to update orderprocessing
? Do you want to update the Lambda function permissions to access other resources in this project? Yes
? Select the category storage
? Storage has 2 resources in this project. Select the one you would like your Lambda to access catalog, user
? Select the operations you want to permit for catalog read, update
? Select the operations you want to permit for user read, update
You can access the following resource attributes as environment variables from your Lambda function
STORAGE_CATALOG_ARN
STORAGE_CATALOG_NAME
STORAGE_USER_ARN
STORAGE_USER_NAME
? Do you want to invoke this function on a recurring schedule? No
? Do you want to configure Lambda layers for this function? No
? Do you want to edit the local lambda function now? No
Here's the CloudFormation issue after amplify push
UPDATE_FAILED LambdaTriggerPolicy AWS::IAM::Policy Mon Sep 14 2020 10:38:06 GMT-0500 (Central Daylight Time) Resource storageuserArn must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 2441ebfb-a943-40d8-afa7-e8165785c8ce; Proxy: null)
UPDATE_FAILED userTriggerPolicy AWS::IAM::Policy Mon Sep 14 2020 10:38:05 GMT-0500 (Central Daylight Time) Resource storageuserArn must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: f19f2cef-09c5-433d-b9d4-3f07c10db81f; Proxy: null)
amirhajimirsadeghi
on 14 Sep 2020
I am getting the same problem, saying it's a malformed arn. It's been frustrating as hell because this is the core reason to use amplify and it's not working.
CREATE_IN_PROGRESS LambdaFunction AWS::Lambda::Function Mon Sep 14 2020 15:47:55 GMT-0400 (Eastern Daylight Time) Resource creation Initiated
⠸ Updating resources in the cloud. This may take a few minutes...
CREATE_FAILED AmplifyResourcesPolicy AWS::IAM::Policy Mon Sep 14 2020 15:47:59 GMT-0400 (Eastern Daylight Time) Resource creation cancelled
CREATE_FAILED lambdaexecutionpolicy AWS::IAM::Policy Mon Sep 14 2020 15:47:58 GMT-0400 (Eastern Daylight Time) Resource storagecarttableArn must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 4cf5cbd5-d42c-4694-85e3-e97127fe6d7f; Proxy: null)
CREATE_IN_PROGRESS lambdaexecutionpolicy AWS::IAM::Policy Mon Sep 14 2020 15:47:57 GMT-0400 (Eastern Daylight Time)
CREATE_COMPLETE LambdaFunction AWS::Lambda::Function Mon Sep 14 2020 15:47:55 GMT-0400 (Eastern Daylight Time)
⠋ Updating resources in the cloud. This may take a few minutes...
CREATE_FAILED amplify-lazypizza-dev-132315-functioncartfunction-Z6KD62VBFY0D AWS::CloudFormation::Stack Mon Sep 14 2020 15:48:00 GMT-0400 (Eastern Daylight Time) The following resource(s) failed to create: [lambdaexecutionpolicy, AmplifyResourcesPolicy].
⠦ Updating resources in the cloud. This may take a few minutes...
UPDATE_ROLLBACK_IN_PROGRESS amplify-lazypizza-dev-132315 AWS::CloudFormation::Stack Mon Sep 14 2020 15:48:02 GMT-0400 (Eastern Daylight Time) The following resource(s) failed to create: [functioncartfunction].
CREATE_FAILED functioncartfunction AWS::CloudFormation::Stack Mon Sep 14 2020 15:48:01 GMT-0400 (Eastern Daylight Time) Embedded stack arn:aws:cloudformation:us-west-2:12345678:stack/amplify-lazypizza-dev-132315-functioncartfunction-Z6KD62VBFY0D/1e0c2730-f6c3-11ea-bd0a-02e3999fd011 was not successfully created: The following resource(s) failed to create: [lambdaexecutionpolicy, AmplifyResourcesPolicy].
⠋ Updating resources in the cloud. This may take a few minutes...
codeglider
on 14 Sep 2020
Hi all, so I think I found a workaround.
Create the elements in order from top to bottom
Create Table
Then Create function and attach table
Then create api and attach function
Seems to be a chicken or the egg problem, where the CFT or amplify doesn't realize the storage table has been created and doesn't the correct arn passed to the policy policy params
codeglider
on 15 Sep 2020
@codeglider I'm facing this issue because I need to update a function with additional permissions :/ glad to see you're issue has a workaround though 👍
I created this track to track what I'm experiencing: https://github.com/aws-amplify/amplify-cli/issues/5333
amirhajimirsadeghi
on 16 Sep 2020
Hi @amirhajimirsadeghi , @codeglider , @VicFrolov, @zoell
We have fixed this bug in our latest release which adds the dependsOn section in amplify function update when giving access to other resources.
You can check the PR here: https://github.com/aws-amplify/amplify-cli/pull/5421.
I am closing this issue for now as it seems solved. If this issue persists again , feel free to comment and ill open this again.
akshbhu
on 26 Oct 2020
Related issues
jeanpaulcozzatti
·
3Comments
onlybakam
·
3Comments
amlcodes
·
3Comments
YikSanChan
·
3Comments
ffxsam
·
3Comments
Most helpful comment
Hey,
I have exactly the same problem with v4.26.0. I already had one function. And I added an other one. (so far all good.) After that I added some access with amplify function update to the old function so it can invoke the new function.
Previously I had this for the old function with some S3 and DynamoDB access already:
backend-config.json:
After adding the new access:
The error message I received was this:
Resource storageccdbuploadsArn must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
It looks like it removed the ccdbuploads resource. So I thought I add it back. Added it back but the same problem.
After checked the Resource configuration in the cloudformation template of the old function, I can see it added the policy here:
So I decided and added the exact ARN to Resource just to try it out but still the same issue.
Here is the mentioned lambdaexecutionpolicy:
Any help would be appreciated.
z