User: XXX because no identity-based policy allows the cognito-idp:GetGroup action

[GenGraphic]

Environment information

0 verbose cli C:\Program Files\nodejs\node.exe C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js
1 info using npm@10.8.3
2 info using node@v20.17.0
3 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\npmrc
4 silly config load:file:F:\Projects\pensionflow\.npmrc
5 silly config load:file:C:\Users\Eduardo\.npmrc
6 silly config load:file:C:\Users\Eduardo\AppData\Roaming\npm\etc\npmrc
7 verbose title npm exec ampx info
8 verbose argv "exec" "--" "ampx" "info"
9 verbose logfile logs-max:10 dir:C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-
10 verbose logfile C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly logfile done cleaning log files
13 silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
14 http fetch GET 200 https://registry.npmjs.org/ampx 775ms (cache miss)
15 verbose stack Error: could not determine executable to run
15 verbose stack     at getBinFromManifest (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\get-bin-from-manifest.js:17:23)
15 verbose stack     at exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\node_modules\libnpmexec\lib\index.js:202:15)
15 verbose stack     at async Npm.exec (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\npm.js:207:9)
15 verbose stack     at async module.exports (C:\Users\Eduardo\AppData\Roaming\npm\node_modules\npm\lib\cli\entry.js:74:5)
16 verbose pkgid ampx@0.2.2
17 error could not determine executable to run
18 verbose cwd F:\Projects\pensionflow
19 verbose os Windows_NT 10.0.22631
20 verbose node v20.17.0
21 verbose npm  v10.8.3
22 verbose exit 1
23 verbose code 1
24 error A complete log of this run can be found in: C:\Users\Eduardo\AppData\Local\npm-cache\_logs\2024-10-18T11_38_01_308Z-debug-0.log

Describe the bug

I created a new env and i tried to push the backend to it. Resulting in the following error: Resource handler returned message: "User: arn:aws:sts::XXXXX:assumed-role/eu-central-1_K3YXJVKQN_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:XXXXX:userpool/eu-central-1_He0G2wrhm because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: abfcf153-b16b-44a8-85a7-84ead72265a6)" (RequestToken: 6b86c0b7-4b2a-ce88-1139-b91d18ccd86c, HandlerErrorCode: GeneralServiceException)

Reproduction steps

amplify push

[ykethan]

thanks for raising this! I'm going to transfer this over to our CLI repository as this appears to be Gen 1 CLI issue.

[ykethan]

Hey @GenGraphic, thank you for reaching out. It appears the eu-central-1_K3YXJVKQN_Full-access role is trying to perform a GetGroup on a Cognito userpool resource. To mitigate the issue, you should be able to add the cognito-idp:GetGroup as an inline policy on the eu-central-1_K3YXJVKQN_Full-access role in the AWS IAM console.

[GenGraphic]

Hi @ykethan. Thank you for the fast reply, this is much appreciated. what we are trying to do is to duplicate our production env, and use it as development env. I created the new env and i get this error while trying to push the backend to the new created env. So a new user pool is created (along with functions, Tables, S3), and trying to get and create a new AdminsGroup (like we have on our prod env). So adding an inline policy is the fisrt thing i tried, but i cant give it the right Resource, since the i don't know the new user pool ARN because it doesn't exist yet. Tank you!