Skip to content

Commit 854aa25

Browse files
authored
add permissions related error mapping (#2785)
* add permissions related error mapping * remove comment
1 parent 16b3c61 commit 854aa25

File tree

5 files changed

+50
-0
lines changed

5 files changed

+50
-0
lines changed

.changeset/flat-spoons-enjoy.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
'@aws-amplify/backend-deployer': patch
3+
'@aws-amplify/platform-core': patch
4+
---
5+
6+
Add permissions related error mapping

packages/backend-deployer/src/cdk_error_mapper.test.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -336,6 +336,13 @@ npm error A complete log of this run can be found in: /home/some-path/.npm/_logs
336336
errorName: 'AccessDeniedError',
337337
expectedDownstreamErrorMessage: undefined,
338338
},
339+
{
340+
errorMessage: `StackName failed: AccessDenied: User: <escaped ARN> is not authorized to perform: cloudformation:ListExports because no identity-based policy allows the cloudformation:ListExports action`,
341+
expectedTopLevelErrorMessage:
342+
'Unable to deploy due to insufficient permissions',
343+
errorName: 'AccessDeniedError',
344+
expectedDownstreamErrorMessage: undefined,
345+
},
339346
{
340347
// eslint-disable-next-line spellcheck/spell-checker
341348
errorMessage: `[31mamplify-user-sandbox-c71414864a: fail: socket hang up

packages/backend-deployer/src/cdk_error_mapper.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -382,6 +382,16 @@ export class CdkErrorMapper {
382382
errorName: 'AccessDeniedError',
383383
classification: 'ERROR',
384384
},
385+
// Same as above but matches Service errors where resource name is not included in the message
386+
{
387+
errorRegex:
388+
/User:(.*) is not authorized to perform:(.*) because no identity-based policy allows the (?<action>.*) action/,
389+
humanReadableErrorMessage:
390+
'Unable to deploy due to insufficient permissions',
391+
resolutionMessage: 'Ensure you have permissions to call {action}',
392+
errorName: 'AccessDeniedError',
393+
classification: 'ERROR',
394+
},
385395
{
386396
errorRegex:
387397
/User:(.*) is not authorized to perform:(?<action>.*) on resource:(?<resource>.*)/,

packages/platform-core/src/errors/amplify_error.test.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -255,6 +255,18 @@ void describe('AmplifyError.fromError', async () => {
255255
);
256256
});
257257
});
258+
void it('wraps permissions related errors in AmplifyUserError', () => {
259+
const error = new Error('You do not have permissions.');
260+
['AccessDenied', 'AccessDeniedException'].forEach((name) => {
261+
error.name = name;
262+
const actual = AmplifyError.fromError(error);
263+
assert.ok(
264+
AmplifyError.isAmplifyError(actual) &&
265+
actual.name === 'AccessDeniedError',
266+
`Failed the test while wrapping error ${name}`,
267+
);
268+
});
269+
});
258270
void it('wraps request signature related errors in AmplifyUserError', () => {
259271
const error = new Error(
260272
'The request signature we calculated does not match the signature you provided.',

packages/platform-core/src/errors/amplify_error.ts

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,17 @@ export abstract class AmplifyError<T extends string = string> extends Error {
125125
error,
126126
);
127127
}
128+
if (error instanceof Error && isPermissionsError(error)) {
129+
return new AmplifyUserError(
130+
'AccessDeniedError',
131+
{
132+
message: errorMessage,
133+
resolution:
134+
'Ensure your IAM role has the AmplifyBackendDeployFullAccess policy along with any additional permissions required for this operation.',
135+
},
136+
error,
137+
);
138+
}
128139
if (error instanceof Error && isRequestSignatureError(error)) {
129140
return new AmplifyUserError(
130141
'RequestSignatureError',
@@ -290,6 +301,10 @@ const isCredentialsError = (err?: Error): boolean => {
290301
);
291302
};
292303

304+
const isPermissionsError = (err?: Error): boolean => {
305+
return !!err && ['AccessDeniedException', 'AccessDenied'].includes(err.name);
306+
};
307+
293308
const isRequestSignatureError = (err?: Error): boolean => {
294309
return (
295310
!!err &&

0 commit comments

Comments
 (0)