"Amplify Console requires you to have admin access to the repository." - Why?

[a-h]

I've set up a Personal Access Token for a Github user that's used for CI purposes. The token gives access to the repos, but the console complains that admin access is required.

App ID can't be provided, because I can't create an app without giving my CI user admin access to the repo.
Region is eu-west-1

[a-h]

For clarity, I really wanted to use CDK:

const amplifyApp = new amplify.App(this, 'xxx', {
    sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
        owner: 'xxx',
        repository: 'xxx',
        oauthToken: SecretValue.plainText(process.env.CI_USER_PERSONAL_ACCESS_TOKEN as string)
    }),
});
amplifyApp.addBranch("main");

This was giving me the following error message.

Resource handler returned message: "Invalid request provided: There was an issue setting up your repository. Please try again later.({"message":"Not Found","documentation_url":"https://docs.
github.com/rest/reference/repos#create-a-repository-webhook"}) (Service: Amplify, Status Code: 400, Request ID: 85d2b3bd-9801-4bbb-b787-3ca71e756eb0, Extended Request ID: null)" (RequestToke 
n: ac23db47-0ef6-4d29-ed0f-83eae4d37e3c, HandlerErrorCode: InvalidRequest) 

The personal access token I was using with CDK didn't work even if I gave it every single scope, including all the "admin" things:

To debug the problem, I was trying to use the console.

In the console, I saw this message about a requirement to be an admin user (the fact that the token needs to be from a user with the admin role on the repo (not just admin scopes in the access token) isn't mentioned elsewhere!).

I realised that deploying my CDK project from the CLI worked fine for me when I used my Github personal access token, but not my CI user. The difference is that I'm an organization owner, and the CI user is a member. I switched the CI user to be an Owner, and suddenly it worked.

I realised that by making the user an Organization Owner, I was also making them an "Admin" role in each repository, which set the flag in the API response to true, and made Amplify happy.

The right way to deal with this would have been to add my CI user to the repo as admin. However, this is still too much permission for a CI user.

Using Chrome debug tools, I noticed that the API call to Github was executing from the browser. In the GraphQL response, I could see some references to "admin", and I realised that the UI is just checking whether the user is an "admin" role of the repository. This doesn't seem right, because the CDK CI process just uses the personal access token, which has defined scopes.

I think the underlying problem is that Amplify is complaining that it needs to be an admin of the repo, when really, all it needs is a Github token with repo access, but there's no way to add that in the UI, so it asks for way more permission than required.

There's no clarity about why admin access is required, and what Amplify will do with that access.

[ferdingler]

Hi @a-h, thank you for reaching out.

When you create an Amplify app using GitHub as source, we use the provided oauth token to create a Webhook and a Deploy Key on your repository. The Webhook is used to listen for GitHub events to trigger Amplify CI/CD based on new commits to your connected branches, and the Deploy Key is used to pull code from your repo during a build.

The GitHub permission model requires Admin access to a repository in order to create webhooks and deploy keys. Which is why the UI shows grayed out those repos for which you are not an admin. And its likely the same reason why your CDK deployment fails.

I would like to clarify that we only use the oauth token as a one-time setup to create the Webhook and Deploy Key and we do not store the token anywhere on our service.

We will take the action item to improve our documentation around this subject to make it clearer.

[a-h]

The documentation says to use a Personal Access Token with the repo scope which is what I gave it.

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-amplify.GitHubSourceCodeProviderProps.html

oauthToken🔹
Type: SecretValue

A personal access token with the repo scope.

So the documentation is certainly part of the problem.

So it seems that I don't want Amplify to create a Github Webhook and deploy key because that means giving a CI user admin rights, I want to pass Amplify a Github deploy key, and for Amplify to then tell me where I should configure Github to send the Webhook.

[saviogl]

@ferdingler Anything on the pipeline to avoid requiring repo Admin permission - CI like credentials should especially follow the least privilege principle and this hard requirement (which by the way is not stated anywhere in the documentation) is really a non-starter for many people

[swaminator]

Please read this: #1542 (comment).

[swaminator]

We now support GitHub apps to help with this: https://aws.amazon.com/about-aws/whats-new/2022/04/aws-amplify-hosting-github-access-workflows/.

Please let us know if you have any issues.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.