add permissions related error mapping (#2785)

* add permissions related error mapping

* remove comment

Author: Amplifiyer

.changeset/flat-spoons-enjoy.md

@@ -0,0 +1,6 @@
+---
+'@aws-amplify/backend-deployer': patch
+'@aws-amplify/platform-core': patch
+---
+
+Add permissions related error mapping

packages/backend-deployer/src/cdk_error_mapper.test.ts

@@ -336,6 +336,13 @@ npm error A complete log of this run can be found in: /home/some-path/.npm/_logs
     errorName: 'AccessDeniedError',
     expectedDownstreamErrorMessage: undefined,
   },
+  {
+    errorMessage: `StackName failed: AccessDenied: User: <escaped ARN> is not authorized to perform: cloudformation:ListExports because no identity-based policy allows the cloudformation:ListExports action`,
+    expectedTopLevelErrorMessage:
+      'Unable to deploy due to insufficient permissions',
+    errorName: 'AccessDeniedError',
+    expectedDownstreamErrorMessage: undefined,
+  },
   {
     // eslint-disable-next-line spellcheck/spell-checker
     errorMessage: `[31mamplify-user-sandbox-c71414864a: fail: socket hang up

packages/backend-deployer/src/cdk_error_mapper.ts

@@ -382,6 +382,16 @@ export class CdkErrorMapper {
       errorName: 'AccessDeniedError',
       classification: 'ERROR',
     },
+    // Same as above but matches Service errors where resource name is not included in the message
+    {
+      errorRegex:
+        /User:(.*) is not authorized to perform:(.*) because no identity-based policy allows the (?<action>.*) action/,
+      humanReadableErrorMessage:
+        'Unable to deploy due to insufficient permissions',
+      resolutionMessage: 'Ensure you have permissions to call {action}',
+      errorName: 'AccessDeniedError',
+      classification: 'ERROR',
+    },
     {
       errorRegex:
         /User:(.*) is not authorized to perform:(?<action>.*) on resource:(?<resource>.*)/,

packages/platform-core/src/errors/amplify_error.test.ts

@@ -255,6 +255,18 @@ void describe('AmplifyError.fromError', async () => {
       );
     });
   });
+  void it('wraps permissions related errors in AmplifyUserError', () => {
+    const error = new Error('You do not have permissions.');
+    ['AccessDenied', 'AccessDeniedException'].forEach((name) => {
+      error.name = name;
+      const actual = AmplifyError.fromError(error);
+      assert.ok(
+        AmplifyError.isAmplifyError(actual) &&
+          actual.name === 'AccessDeniedError',
+        `Failed the test while wrapping error ${name}`,
+      );
+    });
+  });
   void it('wraps request signature related errors in AmplifyUserError', () => {
     const error = new Error(
       'The request signature we calculated does not match the signature you provided.',

packages/platform-core/src/errors/amplify_error.ts

@@ -125,6 +125,17 @@ export abstract class AmplifyError<T extends string = string> extends Error {
         error,
       );
     }
+    if (error instanceof Error && isPermissionsError(error)) {
+      return new AmplifyUserError(
+        'AccessDeniedError',
+        {
+          message: errorMessage,
+          resolution:
+            'Ensure your IAM role has the AmplifyBackendDeployFullAccess policy along with any additional permissions required for this operation.',
+        },
+        error,
+      );
+    }
     if (error instanceof Error && isRequestSignatureError(error)) {
       return new AmplifyUserError(
         'RequestSignatureError',
@@ -290,6 +301,10 @@ const isCredentialsError = (err?: Error): boolean => {
   );
 };
 
+const isPermissionsError = (err?: Error): boolean => {
+  return !!err && ['AccessDeniedException', 'AccessDenied'].includes(err.name);
+};
+
 const isRequestSignatureError = (err?: Error): boolean => {
   return (
     !!err &&