Amplify Deployment Failure -> CloudFormation -> S3 Access Denied ???

1

I am deploying an Amplify application after several months (busy at work). The deployment is failing while creating a CloudFormation with all of the auth/data resources due to a vague S3 access issue and simple links to the S3 error docs:

2025-01-11T20:46:29.068Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317: success: Published e7bcc9a97ae50239efb27eddbe930d08222e1b8386f5e57558b9854d6b0a592d:current_account-current_region 2025-01-11T20:46:29.068Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317: deploying... [1/1] 2025-01-11T20:46:29.295Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317: creating CloudFormation changeset... 2025-01-11T20:46:46.181Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317 | 0/4 | 8:46:40 PM | UPDATE_IN_PROGRESS  | AWS::CloudFormation::Stack | amplify-xyzyyyzzz-develop-branch-066ce2c317 User Initiated 2025-01-11T20:46:46.186Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317 | 0/4 | 8:46:43 PM | UPDATE_IN_PROGRESS  | AWS::CloudFormation::Stack | auth.NestedStack/auth.NestedStackResource (auth111222333) amplify-xyzyyyzzz-develop-branch-066ce2c317 | 0/4 | 8:46:43 PM | UPDATE_FAILED  | AWS::CloudFormation::Stack | auth.NestedStack/auth.NestedStackResource (auth111222333) S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html amplify-xyzyyyzzz-develop-branch-066ce2c317 | 0/4 | 8:46:44 PM | UPDATE_ROLLBACK_IN_P | AWS::CloudFormation::Stack | amplify-xyzyyyzzz-develop-branch-066ce2c317 The following resource(s) failed to update: [auth111222333].  2025-01-11T20:46:50.560Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317 | 1/4 | 8:46:46 PM | UPDATE_COMPLETE  | AWS::CloudFormation::Stack | auth.NestedStack/auth.NestedStackResource (auth111222333) 2025-01-11T20:46:50.565Z [INFO]: amplify-xyzyyyzzz-develop-branch-066ce2c317 | 2/4 | 8:46:47 PM | UPDATE_ROLLBACK_COMP | AWS::CloudFormation::Stack | amplify-xyzyyyzzz-develop-branch-066ce2c317 amplify-xyzyyyzzz-develop-branch-066ce2c317 | 1/4 | 8:46:48 PM | UPDATE_COMPLETE  | AWS::CloudFormation::Stack | auth.NestedStack/auth.NestedStackResource (auth111222333) amplify-xyzyyyzzz-develop-branch-066ce2c317 | 2/4 | 8:46:48 PM | UPDATE_ROLLBACK_COMP | AWS::CloudFormation::Stack | amplify-xyzyyyzzz-develop-branch-066ce2c317 Failed resources: amplify-xyzyyyzzz-develop-branch-066ce2c317 | 8:46:43 PM | UPDATE_FAILED  | AWS::CloudFormation::Stack | auth.NestedStack/auth.NestedStackResource (auth111222333) S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

Wondering if anyone has seen this and has a solution?

1 Answer
0

Greeting

Hi Hula!

Thank you for reaching out! It sounds like you’ve returned to your Amplify project after some time and are encountering deployment issues related to S3 access while CloudFormation tries to set up your resources. Let’s dive into this together and get you back on track. 😊


Clarifying the Issue

From what you’ve shared, the issue occurs during your Amplify deployment when CloudFormation attempts to create a nested stack for your authentication resources. The specific error, "S3 error: Access Denied," indicates that the deployment process is unable to access an S3 bucket that’s critical for storing deployment artifacts or CloudFormation templates.

It’s common for this issue to arise if permissions on the S3 bucket have changed, if the bucket was manually modified or deleted, or if the Amplify CLI configuration has become outdated due to recent AWS policy updates. Additionally, region misalignment between the Amplify project and the S3 bucket is a potential factor. Let’s troubleshoot this step by step to identify and resolve the root cause.


Why This Matters

Resolving this issue is crucial because S3 is integral to Amplify and CloudFormation deployments. Amplify uses S3 to store deployment artifacts, manage nested stack templates, and sync your resources during updates. Without proper S3 access, your application cannot deploy successfully. Addressing the underlying issue also ensures a smoother deployment process in the future, reducing downtime and errors.


Key Terms

  • S3 Bucket: AWS's object storage service, used by Amplify to store deployment files.
  • CloudFormation: AWS’s service for managing infrastructure as code, responsible for creating and updating your application resources.
  • IAM Role: An AWS Identity and Access Management role that provides permissions to AWS services.
  • CloudTrail: AWS’s service for logging API activity, useful for diagnosing access issues.
  • Access Denied: A common error indicating a lack of permissions for a specific operation or resource.

The Solution (Our Recipe)

Steps at a Glance:

  1. Verify the S3 bucket's existence, region, and status.
  2. Check the IAM roles and policies for the Amplify deployment.
  3. Confirm the S3 bucket permissions and bucket policy.
  4. Use CloudTrail to trace denied requests for deeper debugging.
  5. Retry the Amplify deployment and synchronize configurations.

Step-by-Step Guide:

Step 1: Verify the S3 Bucket’s Existence, Region, and Status

  • Go to the S3 Console in AWS.
  • Search for the bucket name related to your Amplify app (the name is usually prefixed with amplify- and your app name).
  • Ensure the bucket exists and has not been deleted or renamed.
  • Confirm the bucket’s region matches the Amplify project region:
    aws s3api get-bucket-location --bucket your-bucket-name
    If the regions don’t align, you may need to reconfigure Amplify or migrate the bucket.
  • If the bucket is missing, recreate it or run the following to refresh local settings:
    amplify pull --restore

Step 2: Check IAM Roles and Policies

  • In the IAM Console, locate the IAM role used for Amplify deployments (you can find it in the Amplify Console under Environment Settings).
  • Confirm the role has the necessary permissions, such as:
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::amplify-your-bucket-name",
        "arn:aws:s3:::amplify-your-bucket-name/*"
      ]
    }
  • If these permissions are missing, attach or update the policy to include them.

Step 3: Confirm the S3 Bucket Permissions and Policy

  • Open the bucket in the S3 Console and go to the Permissions tab.
  • Ensure the bucket policy allows access for the Amplify role. Example:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::your-account-id:role/AmplifyDeploymentRole"
          },
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::amplify-your-bucket-name",
            "arn:aws:s3:::amplify-your-bucket-name/*"
          ]
        }
      ]
    }
  • Ensure Block Public Access settings or bucket ownership configurations are not interfering with access.

Step 4: Use CloudTrail to Trace Denied Requests

  • Enable or check CloudTrail logs for S3 operations:
    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=s3.amazonaws.com
  • Look for AccessDenied entries and verify which role or resource caused the denial.

Step 5: Retry the Amplify Deployment and Synchronize Configurations

  • Clean up any stale resources locally:
    amplify clean
  • Synchronize your local environment with Amplify:
    amplify env pull --restore
  • Push the changes to retry the deployment:
    amplify push --force
  • Monitor the deployment logs for any new issues.

Closing Thoughts

By reviewing your S3 bucket, IAM roles, and bucket policies, this should resolve the access issue and allow your deployment to proceed. If further issues arise, tracing denied requests with CloudTrail will provide a deeper understanding of any remaining misconfigurations.

Here are helpful resources for your reference:


Farewell

I hope this improved guide helps you resolve the issue, Hula! Please don’t hesitate to comment if you have additional details or run into new roadblocks. Best of luck getting your project back online! 🚀😊


Cheers,

Aaron 😊

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions