Amplify-console: Inconsistent resource ARN syntax, breaks IAM policy

Created on 8 Aug 2019  路  5Comments  路  Source: aws-amplify/amplify-console

Describe the bug
Was attempting to create an IAM policy to grant console access to developers who can trigger builds via GitHub commits, found that the resource ARN patterns for Amplify resources are inconsistently applied.

To Reproduce

  1. Using the IAM policy generator, create a policy which grants all Amplify actions on any amplify resource. Produces the following:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "amplify:CreateApp",
                "amplify:ListApps"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": "arn:aws:amplify:*:*:apps/*/branches/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": [
                "arn:aws:amplify:*:*:apps/*/domains/*",
                "arn:aws:amplify:*:*:apps/*/branches/*/jobs/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": "arn:aws:amplify:*:*:apps/*"
        }
    ]
}

  2. Create an account role, attach the previously created policy.

  3. Assume the role and load the Amplify console.
  4. Click into an Amplify application. Nothing loads in the list of branches.

  5. Open the browser's JS console and look for 403s, which will look like:

    ...does not have amplify:ListDomainAssociations on resource: arn:aws:amplify:<REGION>:<ACCOUNT_ID>:/apps/<APP_HASH>/domains

...does not have amplify:ListWebhooks on resource: arn:aws:amplify:<REGION>:<ACCOUNT_ID>:/apps/<APP_HASH>/webhooks

  6. Note the ARN pattern difference (slash prepended to apps):

    • In the IAM statement, the resource ARNs are arn:aws:amplify:*:*:apps/...
    • In the 403 message, the resource ARNs are arn:aws:amplify:<REGION>:<ACCOUNT_ID>:/apps/...
  7. Return to primary role
  8. Alter the IAM policy statement to prepend a slash to apps in all resource ARN patterns
  9. Reassume the test role using the policy
  10. Reload the Amplify console. Some items load, but not all.

  11. In the JS console, find 403 messages like:

    ...does not have amplify:ListBranches on resource: arn:aws:amplify:<REGION>:<ACCOUNT_ID>:apps/<APP_HASH>/branches/*

...does not have arn:aws:amplify:<REGION>:<ACCOUNT_ID>:apps/<APP_HASH>/branches/*

  12. Return to primary role, alter IAM policy to be as follows:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "amplify:CreateApp",
                "amplify:ListApps"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": [
                "arn:aws:amplify:*:*:/apps/*/branches/*",
                "arn:aws:amplify:*:*:apps/*/branches/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": [
                "arn:aws:amplify:*:*:/apps/*",
                "arn:aws:amplify:*:*:apps/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "amplify:*",
            "Resource": [
                "arn:aws:amplify:*:*:/apps/*/domains/*",
                "arn:aws:amplify:*:*:apps/*/domains/*",
                "arn:aws:amplify:*:*:/apps/*/branches/*/jobs/*",
                "arn:aws:amplify:*:*:apps/*/branches/*/jobs/*"
            ]
        }
    ]
}

  13. Reassume test role, reload Amplify console--all features appear to be loading.

Expected behavior

Expected the IAM policy creation wizard to produce a policy capable of granting access to all Amplify actions and resources.

Additional context

Looks like there are some inconsistent resource ARN patterns in the codebase or in IAM, no idea how that all shakes out. Presumably need to standardize on whether or not to use a leading slash before apps in the pattern.

Sample code

I think it's pretty clear from the repro, but @ me if you need info.

bug pending-customer-response
Source
picture nballenger

All 5 comments

Thanks for reporting the bug. The fix is on the way

garyleefight picture garyleefight on 9 Aug 2019
👍1

What's the canonical pattern for the ARNs? /app or app?

nballenger picture nballenger on 9 Aug 2019

arn:aws:amplify:::apps/* is the valid Arn format for our service

garyleefight picture garyleefight on 9 Aug 2019
👍1

@nballenger we have pushed a fix. Can you please verify?

swaminator picture swaminator on 11 Sep 2019
  1. Created a new policy via the policy wizard to enable all Amplify actions
  2. Attached to a testing role with no other permissions
  3. Assumed the role and viewed the Amplify console

Looks like the policy gives access to everything. Thanks for the fix, I've updated my existing roles / groups to use the new policy. Leaving the issue open because I don't want to interfere with whatever your internal process is, but feel free to close--nothing further needed on my end.

nballenger picture nballenger on 11 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

adamaltman picture adamaltman  路  3Comments
OzzieOrca picture OzzieOrca  路  3Comments
hassankhan picture hassankhan  路  4Comments
BardiaN picture BardiaN  路  4Comments
asyschikov picture asyschikov  路  5Comments