Adding a service role
Amplify requires permissions to deploy backend resources with your front end.
You use a service role to accomplish this. A service role is the AWS Identity and Access Management (IAM) role that
Amplify assumes when calling other services on your behalf. In this guide, you will
create an Amplify service role that has account administrative permissions and explicity
allows direct access to resources that Amplify applications require to deploy any Amplify Studio or
CLI resources, and create and manage backends. For more information, about Amplify Studio, see Getting
started
Step 1: Sign in to the IAM console
Open the IAM console
Step 2: Create Amplify role
In the role selection screen find Amplify and choose the Amplify-Backend Deployment role. Accept all the defaults and choose a name for your role, such as AmplifyConsoleServiceRole-AmplifyRole.
Step 3: Return to the Amplify console
Open the Amplify console

If you already have an existing app, you can find the service role setting in App settings > General and then choose Edit from the top right corner of the box. Pick the service role you just created from the dropdown and choose Save.

The Amplify console now has permissions to deploy backend resources.
Confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. For more information, see Cross-service confused deputy prevention.
Currently, the default trust policy for the Amplify-Backend Deployment
service role enforces the aws:SourceArn
and
aws:SourceAccount
global context condition keys to prevent against confused
deputy. However, if you previously created an Amplify-Backend Deployment
role
in your account, you can update the role's trust policy to add these conditions to protect
against confused deputy.
Use the following example to restrict access to apps in your account. Replace the red italicized text in the example with your own information.
"Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:amplify:
us-east-1
:123456789012
:apps/*" }, "StringEquals": { "aws:SourceAccount": "123456789012
" } }
For instructions on editing the trust policy for a role using the AWS Management Console, see Modifying a role (console) in the IAM User Guide.