User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup

[fistofzen]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.12.4

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

When I do,
amplify add env ...
amplify push
I am getting error

Name: SubscribedGroup (AWS::Cognito::UserPoolGroup), Event Type: create, Reason: Resource handler returned message: "User: arn:aws:sts::471112589329:assumed-role/eu-central-1_Ad25tEyii_Full-access/amplifyadmin is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:eu-central-1:471112589329:userpool/eu-central-1_0WJJ5Y05O because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: fb4dc113-81ac-4742-841b-f90717fcc71a)" (RequestToken: 94514ba1-38ef-acfb-0010-bcba2ca044b6, HandlerErrorCode: GeneralServiceException), IsCustomResource: false

Expected behavior

Push to new env.

Reproduction steps

amplify push

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @fistofzen, this appears to be similar to #7582, currently being tracked as bug. The comment provides a workaround in using the custom-policies.json to add the permissions: #7582 (comment)

[femmedecentral]

FWIW I had the same error, and the workaround mentioned by @ykethan (I think) didn't apply to me because this was at the amplify push stage, not something contained in the permissions with a lambda function, which is what I think the custom-policies.json workaround applies to.

I finally got my new env to build, and my old one that was also producing a Cognito related build error (I was trying to create a Cognito group in this push), by searching in IAM for a role that had the same role name as the error (____Full-access) and then adding an inline policy that gave that role the permission to GetGroup for resources within my project (I had at least 2 different ARNs, so I just did a * to save myself some time since I thought GetGroup was low stakes).

I hope you were able to move beyond this bug, but documenting in case anyone else ever runs into this.

[ykethan]

@femmedecentral apologies on delay and thank you for the context. Marking this as bug to update the managed policy to add cognito-idp:GetGroup