AWS Amplify module with CodeCommit Repository

[kinbald]

❓ General Issue

The Question

Hello,

With the introduction of the Amplify constructors (App, Branch, Domain), I updated my code from CfnApp to App.
I'm facing a problem with the accessToken and oauthToken parameters, they are now mandatory if you connect to a repository.

I understand this behavior when you connect to a 3rd party source provider like Github, Gitlab but what about the case of CodeCommit ?
My deployment used to work with CfnApp connected to a CodeCommit repository and no token as parameters.

Best regards,

Environment

• CDK CLI Version: 1.30.0
• Module Version: 1.30.0
• OS: OSX Catalina
• Language: TypeScript

Other information

Related code from app.ts
if (props.repository && !props.accessToken && !props.oauthToken) { throw new Error('EitheraccessTokenoroauthToken must be specified'); }

[MrArnoldPalmer]

Hey @kinbald, so when providing a codecommit repository using CfnApp, if you no authToken and no oauthToken it still works? Do you have to give the amplify project's role access through iam?

@jogold for visibility.

[jogold]

@kinbald Did you maybe connect the repository manually using the console?

@MrArnoldPalmer the amplify project's role is only used when working with backends I think

[kinbald]

Hey there,

I do not use the amplify console to connect the repo, I use the repository parameter of App constructor.
To understand a little bit more the bug, I tested 3 different stacks (CDK 1.30.0) :

1. CfnApp + CfnBranch + CfnDomain WITHOUT token ✅ (Amplify build succeeded)
2. App + Branch + Domain WITH valid accessToken ✅ (Amplify build succeeded)
3. App + Branch + Domain WITH random string as accessToken ❌ (Amplify build failed)
   => Succeeded to clone the repo but failed at Backend step with accessDenied error.

And as you asked I create the app with this role :

const amplifyPrincipal = new iam.ServicePrincipal("amplify.amazonaws.com")
const amplifyRole = new iam.Role(this, "AmplifyConsoleRole", {
      assumedBy: amplifyPrincipal,
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName("AWSCodeCommitReadOnly")
      ],
      roleName: "AmplifyConsoleRole"
})

Thanking you in advance

[jogold]

2. App + Branch + Domain WITH valid accessToken

Which accessToken? How did you generate it?

I create the app with this role

Did you specify it in the 3 stacks?

but failed at Backend step with accessDenied error.

Do you have the full error message?

[kinbald]

Which accessToken? How did you generate it?

Seamed to our team that the only token that could be generated would be with HTTPS GitCredential manager in our IAM account. We used the password string as accessToken as a try.

Did you specify it in the 3 stacks?

Yes, they all use this role.

Do you have the full error message?

Sure :
https://gist.github.com/kinbald/91d09f56830286b3fbc6cbadaf4161bd

[jogold]

@MrArnoldPalmer we should maybe have something like a SourceCodeProvider class with static methods for the different providers. We can start with GitHub and CodeCommit.