AWS Amplifyのinitでs3:SetBucketEncryption Access Deniedエラー

結論

AWS Amplifyを試してみようと思い、セットアップを行っていたところエラーが発生。

ポリシーでs3:PutEncryptionConfigurationを追加してあげればOK

エラー発生まで

Amplify CLIのインストール

npm install -g @aws-amplify/cli

Amplify 初期化

amplify configure

# アカウントのログイン
Sign in to your AWS administrator account:
Press Enter to continue

# リージョンの選択(ap-northeast-1を選択)
Specify the AWS Region
? region:  ap-northeast-1

# IAM ユーザの作成(名前はデフォルトのまま)
Specify the username of the new IAM user:
? user name:  amplify-5lBeT

# コンソールの操作
# ポリシーをAdministratorAccessからAdministratorAccess-Amplifyに変更(セキュリティ面を考慮)
# 他はデフォルトのままIAMユーザを作成

# ターミナルに戻り
# 作成したIAMのAccessKeyとSecretAccessKeyを入力
Enter the access key of the newly created user:
? accessKeyId:  ********************
? secretAccessKey:  ****************************************

# プロファイル名の指定(任意 credentialsに書き込まれる)
This would update/create the AWS Profile in your local machine
? Profile Name:  amplify-sample

amplify init
# プロジェクト名の指定
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project amplifyproject

The following configuration will be applied:

Project information
| Name: awsamplifysample
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: none
| Source Directory Path: src
| Distribution Directory Path: dist
| Build Command: npm.cmd run-script build
| Start Command: npm.cmd run-script start

# デフォルトのまま
? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation

# 作成したIAMのprofileがcredentialsに作成されているのでprofileを指定
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

# amplify configureで作成したprofile名を指定
? Please choose the profile you want to use amplify-sample
Adding backend environment dev to AWS Amplify Console app: dbnvauyxfn0p0
/ Initializing project in the cloud...

# cloudformationによるセットアップ

CREATE_IN_PROGRESS amplify-amplifyproject-dev-12345 AWS::CloudFormation::Stack Mon May 24 2021 02:31:53 GMT-0900 (GMT-09:00) User Initiated
CREATE_IN_PROGRESS UnauthRole                         AWS::IAM::Role             Mon May 24 2021 02:31:57 GMT-0900 (GMT-09:00)
CREATE_IN_PROGRESS AuthRole                           AWS::IAM::Role             Mon May 24 2021 02:31:58 GMT-0900 (GMT-09:00)
CREATE_IN_PROGRESS DeploymentBucket                   AWS::S3::Bucket            Mon May 24 2021 02:31:58 GMT-0900 (GMT-09:00)
CREATE_IN_PROGRESS UnauthRole                         AWS::IAM::Role             Mon May 24 2021 02:31:58 GMT-0900 (GMT-09:00) Resource creation Initiated
/ Initializing project in the cloud...

CREATE_IN_PROGRESS   AuthRole                           AWS::IAM::Role             Mon May 24 2021 02:31:59 GMT-0900 (GMT-09:00) Resource creation Initiated

CREATE_IN_PROGRESS   DeploymentBucket                   AWS::S3::Bucket            Mon May 24 2021 02:31:59 GMT-0900 (GMT-09:00) Resource creation Initiated

CREATE_FAILED        DeploymentBucket                   AWS::S3::Bucket            Mon May 24 2021 02:32:00 GMT-0900 (GMT-09:00) API: s3:SetBucketEncryption Access Denied

CREATE_FAILED        AuthRole                           AWS::IAM::Role             Mon May 24 2021 02:32:01 GMT-0900 (GMT-09:00) Resource creation cancelled

CREATE_FAILED        UnauthRole                         AWS::IAM::Role             Mon May 24 2021 02:32:01 GMT-0900 (GMT-09:00) Resource creation cancelled

ROLLBACK_IN_PROGRESS amplify-amplifyproject-dev-12345 AWS::CloudFormation::Stack Mon May 24 2021 02:32:02 GMT-0900 (GMT-09:00) The following resource(s) failed to create: [AuthRole, DeploymentBucket, UnauthRole]. Rollback requested by user.
| Initializing project in the cloud...

DELETE_IN_PROGRESS AuthRole         AWS::IAM::Role  Mon May 24 2021 02:32:22 GMT-0900 (GMT-09:00) 
DELETE_IN_PROGRESS UnauthRole       AWS::IAM::Role  Mon May 24 2021 02:32:22 GMT-0900 (GMT-09:00)
DELETE_SKIPPED     DeploymentBucket AWS::S3::Bucket Mon May 24 2021 02:32:22 GMT-0900 (GMT-09:00)
| Initializing project in the cloud...

DELETE_COMPLETE   AuthRole                           AWS::IAM::Role             Mon May 24 2021 02:32:23 GMT-0900 (GMT-09:00) 
DELETE_COMPLETE   UnauthRole                         AWS::IAM::Role             Mon May 24 2021 02:32:24 GMT-0900 (GMT-09:00) 
ROLLBACK_COMPLETE amplify-amplifyproject-dev-12345 AWS::CloudFormation::Stack Mon May 24 2021 02:32:25 GMT-0900 (GMT-09:00)
/ Initializing project in the cloud...
An error occurred when creating the CloudFormation stack
/ Initializing project in the cloud...

Following resources failed

対処

結果から察するに、s3:SetBucketEncryption Access Deniedエラーが発生しロールバックした雰囲気 AdministratorAccess-Amplify権限つけているのに、initも出来ないのかい! と思いつつも、権限エラーぽいので、 気を取り直しポリシー増やす。 が、SetBucketEncryptionという権限がない。

それっぽいような、s3:PutEncryptionConfiguration 権限を追加し再度init実行で無事正常終了となりました。