When you are using AWS Amplify, you will certainly need to deploy your changes to your AWS account using an AWS Profile. Sure we can use the AWS profile of a user that has AdministratorAccess, but it is not a good practice as we should allocate the minimal possible resources to an AWS IAM entity to do the job.

So what permissions are required for deploying Amplify apps?

AWS AMplify required permissions

To create an AWS User with the required permissions, follow the steps below.

Create AWS POLicy

  • Open AWS IAM Console.
  • On the left, click Policies.
  • Click Create Policy.
  • Click the JSON tab and paste the following policy inside it:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "appsync:*",
                "apigateway:POST",
                "apigateway:DELETE",
                "apigateway:PATCH",
                "apigateway:PUT",
                "cloudformation:CreateStack",
                "cloudformation:CreateStackSet",
                "cloudformation:DeleteStack",
                "cloudformation:DeleteStackSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackSet",
                "cloudformation:DescribeStackSetOperation",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateStackSet",
                "cloudfront:CreateCloudFrontOriginAccessIdentity",
                "cloudfront:CreateDistribution",
                "cloudfront:DeleteCloudFrontOriginAccessIdentity",
                "cloudfront:DeleteDistribution",
                "cloudfront:GetCloudFrontOriginAccessIdentity",
                "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
                "cloudfront:GetDistribution",
                "cloudfront:GetDistributionConfig",
                "cloudfront:TagResource",
                "cloudfront:UntagResource",
                "cloudfront:UpdateCloudFrontOriginAccessIdentity",
                "cloudfront:UpdateDistribution",
                "cognito-identity:CreateIdentityPool",
                "cognito-identity:DeleteIdentityPool",
                "cognito-identity:DescribeIdentity",
                "cognito-identity:DescribeIdentityPool",
                "cognito-identity:SetIdentityPoolRoles",
                "cognito-identity:UpdateIdentityPool",
                "cognito-idp:CreateUserPool",
                "cognito-idp:CreateUserPoolClient",
                "cognito-idp:DeleteUserPool",
                "cognito-idp:DeleteUserPoolClient",
                "cognito-idp:DescribeUserPool",
                "cognito-idp:UpdateUserPool",
                "cognito-idp:UpdateUserPoolClient",
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetUser",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:UpdateRole",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "lambda:RemovePermission",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "s3:*",
                "amplify:*"
            ],
            "Resource": "*"
        }
    ]
}
  • Click Review Policy.
  • Provide a Name and optionally Description.
  • Click Create Policy.

Important: This policy provides permissions of deployment related to AppSync, API Gateway, CloudFormation, CloudFront, Cognito, DynamoDB, IAM, Lambda, S3 and Amplify. If you decide more types of AWS resources, you will need to add those permissons to this policy.

Create a new AWS USer

  • Open AWS IAM Console.
  • On the left, click Users.
  • Click Add User.
  • Enter a Username and check Programmatic Access.
  • Click Next: Permissions.
  • Under Set Permissions, choose Attach Existing Policies.
  • Choose the policy that you created earlier and click Next: Tags.
  • Click Next: Review and after reviewing, click Create User.

You are all done. Now if you want to create an AWS Profile for this user on your local machine, follow this tutorial.

summary

This post describes how to create an AWS User with minimal possible permissions in the shape of an AWS Policy, in order to deploy AWS Amplify app and its constituting resources. This post lists the policy permissions so they can be used by intended readers using AWS Amplify app who don’t want to directly assign AdministratorAccess to the corresponding user but instead to follow AWS best practices and allow as minimum access permissions as required by AWS Amplify.