[aws-amplify] Can't connect to GitHub

[thisismydesign]

❓ General Issue

The Question

I'm trying to add an Amplify app via CDK but can't connect to GitHub with my Personal Access Token (repo scope).

const amplifyApp = new amplify.App(this, 'App', {
  sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
    owner: 'x',
    repository: 'y',
    oauthToken: cdk.SecretValue.plainText(process.env.PAT as string)
  }),
});

2:27:59 PM | CREATE_FAILED        | AWS::Amplify::App        | LandingF95672E9
There was an issue setting up your repository. Please try again later.({"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/repos#create-a-repository-webhook"
}) (Service: Amplify; Status Code: 400; Error Code: BadRequestException; Request ID: -)

I assume this is an access issue? However the access seems right to me. Am I using the plain text secret correctly? I also tried non-plain text but ran into different issues. For now, I'd just like to get it working as simple as possible.

Environment

• CDK CLI Version: 6.14.6
• Module Version:
• Node.js Version: v14.6.0
• OS: WSL2
• Language (Version): TS

Other information

[thisismydesign]

Possibly caused by the new accouunt used being restricted. Would be great to have a proper error message when PAT is not working.

[conrc]

I ran into the same issue. My fix was granting repo scope access to the personal access token on Github.

[a-h]

I had this problem, and the underlying problem was that the user that created the Personal Access Token must also (for some reason) be an Admin of the repository: aws-amplify/amplify-hosting#2160

[skinny85]

I had this problem, and the underlying problem was that the user that created the Personal Access Token must also (for some reason) be an Admin of the repository: aws-amplify/amplify-console#2160

It's probably because CodePipeline Amplify creates a WebHook in your GitHub repository, and only admins can do that.

[a-h]

Not 100% sure that only admins can do that @skinny85.

Being able to write webhooks is listed as an available scope within a Personal Access Token, as per this screenshot aws-amplify/amplify-hosting#2160 (comment)

When I added the scope (permission) to create hooks to the Personal Access Token of the CI user, it still didn't work. I think it's a bug in Amplify, that instead of just using the OAuth scopes to do the task, it checks whether the user is an "admin" on the repo or not. I think Github uses that to show a tag on the users when they comment, rather than as a permission thing.

Personally, I just gave up on trying to use Amplify SSR for my team's latest project, and gave the new App Runner service a shot. Up and running with CI/CD on the same day using Github Actions to run the CDK. I've used a Docker container, so I can easily switch to ECS/Fargate if I run into any problems with App Runner, plus it's really easy to test locally.

The Github Action runs under a CI IAM user with a Permissions Boundary attached to reduce the potential of privilege escalation attacks from the CI pipeline. The IAM user is a static credential which is less than ideal, but I'll write a script to rotate that like this one I did for Circle CI a few years back: https://gist.github.com/a-h/b83249884e6e66ced90a5a777dac22a1

[ryanjdillon]

My issues was storing the GitHub PAT as a key/value pair in AWS Secrets manager, which then requires that you pass the json option to the SecretManager. I rather saved it as a Plaintext secret, and that did the job.

This is what helped me:
#3515 (comment)