ssm:AddTagsToResource is not included in the amplify admin policies

[OperationalFallacy]

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

v20.9.0

Amplify CLI Version

12.10.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Yes, custom category to expose api endpoint via ssm param, so cognito trigger functions can get access/config of API.

I believe this is the relevant piece in the template that causing deployment failure:

  "Resources": {
    "GraphQLEndpointParam": {
      "Type": "AWS::SSM::Parameter",
      "Properties": {
        "Name": {
          "Fn::Join": [
            "",
            [
              "amplify/GraphQLEndpoint-",
              {
                "Ref": "env"
              }
            ]
          ]
        },
        "Type": "String",
        "Value": {
          "Ref": "apixxxGraphQLAPIEndpointOutput"
        },
        "Description": "GraphQL API Endpoint for the current stage"
      }
    },

Describe the bug

Copied from the custom category template deployment

Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/us-east-1_aPwDmYAQx_Full-access/amplifyadmin is not authorized to perform: ssm:AddTagsToResource on resource: arn:aws:ssm:us-east-1:xxx:parameter/amplify/GraphQLEndpoint-prod because no identity-based policy allows the ssm:AddTagsToResource action (Service: Ssm, Status Code: 400, Request ID: b6c1b086-b903-42e4-ac3c-01da8c35a4d0)" (RequestToken: 9235f63d-1fc8-da09-7169-f926d777e87a, HandlerErrorCode: GeneralServiceException)

Expected behavior

amplify role should have permissions correctly configured

Reproduction steps

1. Add a custom category that creates SSM parameter
2. Try to deploy

🛑 Resource is not in the state stackUpdateComplete
Name: GraphQLEndpointParam (AWS::SSM::Parameter), Event Type: create, Reason: Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/us-east-1_aPwDmYAQx_Full-access/amplifyadmin is not authorized to perform: ssm:AddTagsToResource on resource: arn:aws:ssm:us-east-1:xxx:parameter/amplify/GraphQLEndpoint-prod because no identity-based policy allows the ssm:AddTagsToResource action (Service: Ssm, Status Code: 400, Request ID: b6c1b086-b903-42e4-ac3c-01da8c35a4d0)" (RequestToken: 9235f63d-1fc8-da09-7169-f926d777e87a, HandlerErrorCode: GeneralServiceException), IsCustomResource: false

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[OperationalFallacy]

The visual editor also complained that "lambda:GetLayerVersionbyArn" doesn't exit in Full-access-Policy

[ykethan]

Hey @OperationalFallacy, thank you for reaching out. This look like a miss on AdministratorAccess-Amplify policy (AmplifySSMCalls) when the root stack tags are propagated to the nested stack, marking as bug.
But to mitigate the issue we should be able to add an inline policy allowing the SSM tags permission.
in regards to "lambda:GetLayerVersionbyArn" i have reached out to the appropriate team.

On a side note did notice the Name Join has amplify/GraphQLEndpoint- you will need to add /amplify/GraphQLEndpoint- as the qualified name expects a /

[bzsurbhi]

Hey @OperationalFallacy, Amplify managed policy supports permissions for native categories like api, auth, storage. For custom use cases, customers will have to add permissions in their inline policy. Add ssm:AddTagsToResource permissions as a separate inline policy in this role us-east-1_aPwDmYAQx_Full-access

[OperationalFallacy]

@bzsurbhi I'm confused, what is amplify managed policy? This is also a not custom case - this is amplify cli fails to make updates because some ssm permissions missing.