Aws-cdk: AWS Amplify module with CodeCommit Repository

Created on 19 Mar 2020  ·  6Comments  ·  Source: aws/aws-cdk

:question: General Issue

The Question


Hello,

With the introduction of the Amplify constructors (App, Branch, Domain), I updated my code from CfnApp to App.
I'm facing a problem with the accessToken and oauthToken parameters, they are now mandatory if you connect to a repository.

I understand this behavior when you connect to a 3rd party source provider like Github, Gitlab but what about the case of CodeCommit ?
My deployment used to work with CfnApp connected to a CodeCommit repository and no token as parameters.

Best regards,

Environment

  • CDK CLI Version: 1.30.0
  • Module Version: 1.30.0
  • OS: OSX Catalina
  • Language: TypeScript

Other information


Related code from app.ts
if (props.repository && !props.accessToken && !props.oauthToken) { throw new Error('EitheraccessTokenoroauthTokenmust be specified'); }

@aws-cdaws-amplify bug efforsmall guidance in-progress p2
Source
picture kinbald

Most helpful comment

@MrArnoldPalmer we should maybe have something like a SourceCodeProvider class with static methods for the different providers. We can start with GitHub and CodeCommit.

picture jogold on 20 Mar 2020
👍2

All 6 comments

Hey @kinbald, so when providing a codecommit repository using CfnApp, if you no authToken and no oauthToken it still works? Do you have to give the amplify project's role access through iam?

@jogold for visibility.

MrArnoldPalmer picture MrArnoldPalmer on 20 Mar 2020

@kinbald Did you maybe connect the repository manually using the console?

@MrArnoldPalmer the amplify project's role is only used when working with backends I think

jogold picture jogold on 20 Mar 2020

Hey there,

I do not use the amplify console to connect the repo, I use the repository parameter of App constructor.
To understand a little bit more the bug, I tested 3 different stacks (CDK 1.30.0) :

  1. CfnApp + CfnBranch + CfnDomain WITHOUT token ✅ (Amplify build succeeded)
  2. App + Branch + Domain WITH valid accessToken ✅ (Amplify build succeeded)
  3. App + Branch + Domain WITH random string as accessToken ❌ (Amplify build failed)
    => Succeeded to clone the repo but failed at Backend step with accessDenied error.

And as you asked I create the app with this role : 

const amplifyPrincipal = new iam.ServicePrincipal("amplify.amazonaws.com")
const amplifyRole = new iam.Role(this, "AmplifyConsoleRole", {
      assumedBy: amplifyPrincipal,
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName("AWSCodeCommitReadOnly")
      ],
      roleName: "AmplifyConsoleRole"
})

Thanking you in advance

kinbald picture kinbald on 20 Mar 2020

2. App + Branch + Domain WITH valid accessToken

Which accessToken? How did you generate it?

I create the app with this role

Did you specify it in the 3 stacks?

but failed at Backend step with accessDenied error.

Do you have the full error message?

jogold picture jogold on 20 Mar 2020

Which accessToken? How did you generate it?

Seamed to our team that the only token that could be generated would be with HTTPS GitCredential manager in our IAM account. We used the password string as accessToken as a try.

Did you specify it in the 3 stacks?

Yes, they all use this role.

Do you have the full error message?

Sure :
https://gist.github.com/kinbald/91d09f56830286b3fbc6cbadaf4161bd

kinbald picture kinbald on 20 Mar 2020

@MrArnoldPalmer we should maybe have something like a SourceCodeProvider class with static methods for the different providers. We can start with GitHub and CodeCommit.

jogold picture jogold on 20 Mar 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pepastach picture pepastach  ·  3Comments
Kent1 picture Kent1  ·  3Comments
ababra picture ababra  ·  3Comments
cybergoof picture cybergoof  ·  3Comments
nzspambot picture nzspambot  ·  3Comments