Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

env update keeps asking for "Specify an IAM Policy ARN to use as a permissions boundary" #14075

Closed
2 tasks done
silveriordza opened this issue Jan 17, 2025 · 5 comments
Closed
2 tasks done

env update keeps asking for "Specify an IAM Policy ARN to use as a permissions boundary" #14075

silveriordza opened this issue Jan 17, 2025 · 5 comments
Labels
pending-triage Issue is pending triage platform Issues tied to the general CLI platform

Comments

@silveriordza
Copy link

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v16.20.2

Amplify CLI Version

12.12.0

What operating system are you using?

Windows

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

Created a new backend environment, lambda function, Node.JS, selected option to use the same environment variables as the current (existent) environment), the environment was created successfully, then pushed it to the AWS Cloud with success. Then I tried to update environment variables to change the ones that are specific to the new environment, and the "amplify env update" command, asked me for "Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles...", I did created a new IAM Policy giving permissions like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SidSidSomeSid",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"lambda:",
"dynamodb:",
"s3:",
"cloudformation:",
"appsync:",
"apigateway:"
],
"Resource": "*"
}
]
}

took the ARM of that policy and set it as the answer for the "Specify an IAM Policy ARN" question, pressed enter, then did the "amplify push --force" completed with success.

Again I tried the "amplify env update" and the same question pops up "Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles...".

I did troubleshoot: removed my amplify folder to start from scratch, pulled my environments with amplify pull, worked like a charm, success, but all my environments now have the same problem when doing the "amplify env update" does not seem to work any more.

What do I need to do to make the update work and update environment variables in amplify version 12.12.0? Is it still supported? Is this a problem of me being behind in amplify versions and the AWS Amplify version in the Cloud is not longer able to talk to my 12.12.0 version? This boundary permission thing was not required before, I'm not sure if my version can even handle it.

Please help!

Thanks,
Silverio Rodriguez

Expected behavior

"amplify env update" should show the options to update environment, I can pick the environment variables and update them.

Reproduction steps

  1. Make sure you have amplify 12.12.0.
  2. Pull any environment that you have, backend, Node, Lambda, no Javascript framework.
  3. amplify env update
  4. You will see it asks for the "Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles..."
  5. Provide the policy ARM.
  6. Type enter.
  7. amplify push --force (this will succeed).
  8. amplify env update
  9. You will see it asks again for "Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles..."
  10. Repeat steps above, it will never go beyond the question in 9.

Project Identifier

fcce8f7d669389faf08be68ad4a27320

Log output

#I won't add the logs because they may contain sensitive data and the log is very large I can't review it all and not sure what could be there.

Additional information

I haven't identified any workaround, but I tried setting the ARM as blank, also adding it as blank in the team-provider-info.json, deleting my amplify folder and start pulling my environments again. I suspect that I just have to upgrade my environments to the GEN2, but I'm not sure if I update my local version of amplify to the latest version, how will that affect my existent environments that are in 12.12.0, do I need to remove them and re-create them with the new version?

Let me know if there is any workaround so I can keep using my 12.12.0 version, or let me know if upgrading is not that hard and it won't mess up my existent environments.

Before submitting, please confirm:

  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.
@silveriordza silveriordza added the pending-triage Issue is pending triage label Jan 17, 2025
@ykethan
Copy link
Member

ykethan commented Jan 17, 2025
edited
Loading

Hey @silveriordza, thank you for reaching out. This is currently an expected behavior as the permission boundary applies on a environment level prompting this whenever you run amplify update env. If the PermissionsBoundaryPolicyArn parameter is present in the team-provider-info.json the CLI should provide an autofilled input in the prompt or you can skip the prompt by adding --permissions-boundary with an arn to the amplify update env command.
Refer to this documentation providing additional information.
https://docs.amplify.aws/gen1/react/tools/cli/project/permissions-boundary/#set-up-a-permissions-boundary-in-a-new-environment

@ykethan ykethan added pending-response Issue is pending response from the issue author platform Issues tied to the general CLI platform labels Jan 17, 2025
@silveriordza
Copy link
Author

silveriordza commented Jan 17, 2025
edited
Loading

@ykethan the problem is that it keeps asking for the ARN, even though I already provided it multiple times, and did push --force. I see it was aded to the team-provider-info.json. When I run the "amplify update env" I'm expecting the options so I can select the "update environment variables", which is what I ultimately looking for. This thing keeps asking for the ARN, and never passes from there. Where is the option to update environment variables then?

@github-actions github-actions bot removed the pending-response Issue is pending response from the issue author label Jan 17, 2025
@ykethan
Copy link
Member

ykethan commented Jan 21, 2025

@silveriordza Could you provide us information on the resource you are looking to update?
If you are looking to update the environment variable for a Lambda function which does provide a prompt Update existing environment variables refer to the following documentation.
https://docs.amplify.aws/gen1/react/build-a-backend/functions/environment-variables/

@ykethan ykethan added the pending-response Issue is pending response from the issue author label Jan 21, 2025
@silveriordza
Copy link
Author

You are right @ykethan , using the "amplify update function" worked to update environment variables and secrets, I thought the environment variables have to be updated at the environment level, but it is done at the lambda function level. Thanks!

@github-actions github-actions bot removed the pending-response Issue is pending response from the issue author label Jan 26, 2025
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending-triage Issue is pending triage platform Issues tied to the general CLI platform
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silveriordza @ykethan