Comments (9)
Let's just get it going. The following permissions were necessary for the amplify init
initialization step which creates a CloudFormation stack.
- CloudFormation:
cloudformation:CreateStack
- there is no AWS Managed policy for CloudFormation write permissions (only ReadOnly for CloudFormation).- So, I had to create a custom policy
CloudFormationWritePermissions
, chose CloudFormation as a service and picked the permissions from "write" section. - In addition to that I had to attach the AWS Managed
AWSCloudFormationReadOnlyAccess
otherwise the CLI succeeds to send a create stack request, but then fails to get the stack status sayingAccessDenied: Resource is not in the state stackCreateComplete
.
- So, I had to create a custom policy
- IAM:
iam:GetRole
iam:CreateRole
- added AWS ManagedIAMFullAccess
policy.
- S3:
s3:CreateBucket
- added AWS ManagedAmazonS3FullAccess
policy.
One thing that could have been improved is that instead of giving the full access to certain services, we could have given a limited permissions by selecting the exact APIs necessary for the CLI. But I didn't bother microoptimizing at this point.
Finally I see:
$ amplify init
Note: It is recommended to run this command from the root of your app directory
? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building ios
Using default provider awscloudformation
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use my-profile
⠧ Initializing project in the cloud...
CREATE_COMPLETE AuthRole AWS::IAM::Role Sun Nov 25 2018 12:53:06 GMT-0800 (PST)
CREATE_COMPLETE UnauthRole AWS::IAM::Role Sun Nov 25 2018 12:53:06 GMT-0800 (PST)
CREATE_COMPLETE DeploymentBucket AWS::S3::Bucket Sun Nov 25 2018 12:53:09 GMT-0800 (PST)
CREATE_COMPLETE service-20181125125256 AWS::CloudFormation::Stack Sun Nov 25 2018 12:53:12 GMT-0800 (PST)
✔ Successfully created initial AWS cloud resources for deployments.
Your project has been successfully initialized and connected to the cloud!
Some next steps:
"amplify status" will show you what you've added already and if it's locally configured or deployed
"amplify <category> add" will allow you to add features like user login or a backend API
"amplify push" will build all your local backend resources and provision it in the cloud
"amplify publish" will build all your local backend and frontend resources (if you have hosting category added) and provision it in the cloud
Pro tip:
Try "amplify add api" to create a backend API and then "amplify publish" to deploy everything
If you decide to add Amazon Cognito based Auth
provider by amplify add auth
, then the following permissions are required before you do amplify push
:
- Cognito:
cognito-idp:CreateUserPool
- added AWS ManagedAmazonCognitoPowerUser
policy which provides full access to the service.
- Lambda:
lambda:CreateFunction
- added AWS ManagedAWSLambdaFullAccess
policy.
If you want to add GraphQL based API provider by amplify add api
, then the following permissions are required before you do amplify push
.
- AppSync:
appsync:CreateGraphqlApi
- added AWS ManagedAWSAppSyncAdministrator
policy with full access.
from amplify-cli.
AWS IAM >
User - Add user
> .. >Create policy
: selectJSON
table then Copy&Paste
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:EstimateTemplateCost",
"cloudformation:CreateStack",
"cloudformation:List*",
"cloudformation:ValidateTemplate",
"cloudformation:Get*",
"cloudformation:Describe*",
"iam:GetRole",
"iam:CreateRole",
"s3:CreateBucket"
],
"Resource": "*"
}
]
}
from amplify-cli.
Would be nice to see a breakdown of exactly what permissions are needed, as full administrative access isn't feasible in some scenarios.
from amplify-cli.
Would be great to get a list of this, rather then creating a user with full administrative access, would be great to pick and choose what we need based on the services we require
from amplify-cli.
I’m using Amplify purely for it’s auth features, and even then only to authenticate existing users (sign in, sign out, forgot password, create password). It seems like overkill to grant admin privileges when I’m using such a small portion of the toolset. And as the front-end developer, I don’t have those privileges anyway.
from amplify-cli.
Closing this issue, since this is a duplicate and we're tracking this in #351.
from amplify-cli.
Cool. Thanks.
from amplify-cli.
IAM policy can be restricted for just the categories and features that you use as documented here: https://aws-amplify.github.io/docs/cli-toolchain/usage#iam-policy-for-the-cli
Additionally you can use MFA with short term IAM credentials: https://aws-amplify.github.io/docs/cli-toolchain/usage#iam-roles--mfa
from amplify-cli.
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help
channels for those types of questions.
from amplify-cli.
Related Issues (20)
- Install Amplify CLI on Windows Github Actions Fails: The term 'install.cmd' is not recognized as a name of a cmdlet HOT 6
- How do I add AdminQueries when i am using Imported Cognito Auth HOT 3
- Failed to Pull the backend - \auth\parameters.json' does not exist HOT 9
- Error: Can't resolve 'amplifyconfiguration.json' in build stage HOT 5
- How to create a lambda function using .Net Core. HOT 2
- Amplify console cant connect a second branch after successful Github App authentication HOT 2
- 'Source image [id] does not exist. Provide a valid source image.' when I ran amplify push with custom resource HOT 3
- Errors occur when connecting through corporate proxies. HOT 1
- Build backend failed - Error: Command failed with ENOMEM: yarn --version HOT 21
- Support for setting PreTokenGeneration to v2_0 for access token HOT 1
- amplify/backend/amplify-meta.json' does not exist on Build HOT 18
- Amplify Pull not working HOT 2
- New deployment isn't connected to a backend on the console by default. HOT 3
- Unexpected throttling during deployment from UpdateRolesWithIDPFunction HOT 4
- Documentation Updates for "Migrate from Legacy FCM APIs to HTTP v1"
- Resource handler returned message: "A condition block must be present for the Cognito provider HOT 3
- Resource handler returned message: "A condition block must be present for the Cognito provider HOT 1
- Golang `mock` tcp :8900: connect: connection refused HOT 1
- AxiosError: read ECONNRESET HOT 3
- Amplify push function does not push all files HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amplify-cli.