Adding a service role - AWS Amplify Hosting

Adding a service role

Amplify requires permissions to deploy backend resources with your front end. You use a service role to accomplish this. A service role is the AWS Identity and Access Management (IAM) role that Amplify assumes when calling other services on your behalf. In this guide, you will create an Amplify service role that has account administrative permissions and explicity allows direct access to resources that Amplify applications require to deploy any Amplify Studio or CLI resources, and create and manage backends. For more information, about Amplify Studio, see Getting started in the Amplify docs. For more information about the Amplify CLI, see Amplify CLI in the Amplify docs.

Step 1: Sign in to the IAM console

Open the IAM console and choose Roles from the left navigation bar, then choose Create role.

Step 2: Create Amplify role

In the role selection screen find Amplify and choose the Amplify-Backend Deployment role. Accept all the defaults and choose a name for your role, such as AmplifyConsoleServiceRole-AmplifyRole.

Step 3: Return to the Amplify console

Open the Amplify console. If you are in the process of deploying a new app, choose refresh, and then choose the role you just created. It should look like AmplifyConsoleServiceRole-AmplifyRole.

If you already have an existing app, you can find the service role setting in App settings > General and then choose Edit from the top right corner of the box. Pick the service role you just created from the dropdown and choose Save.

The Amplify console now has permissions to deploy backend resources.

Confused deputy prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. For more information, see Cross-service confused deputy prevention.

Currently, the default trust policy for the Amplify-Backend Deployment service role enforces the aws:SourceArn and aws:SourceAccount global context condition keys to prevent against confused deputy. However, if you previously created an Amplify-Backend Deployment role in your account, you can update the role's trust policy to add these conditions to protect against confused deputy.

Use the following example to restrict access to apps in your account. Replace the red italicized text in the example with your own information.

"Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:amplify:us-east-1:123456789012:apps/*" }, "StringEquals": { "aws:SourceAccount": "123456789012" } }

For instructions on editing the trust policy for a role using the AWS Management Console, see Modifying a role (console) in the IAM User Guide.