Creating a service role Editing a role's trust policy to prevent confused deputy

Adding a service role to an Amplify app

Amplify requires permissions to deploy backend resources with your front end. You use a service role to accomplish this. A service role is the AWS Identity and Access Management (IAM) role that Amplify assumes when calling other services on your behalf.

In this chapter, you will learn how to create an Amplify service role that has account administrative permissions and explicity allows direct access to resources that Amplify applications require to deploy, create, and manage backends.

To create a service role

Open the IAM console and choose Roles from the left navigation bar, then choose Create role.
On the Select trusted entity page, choose AWS service. For Use case, select Amplify, then choose, Next.
On the Add permissions page, choose Next.
On the Name, view, and create page, for Role name enter a meaningful name, such as AmplifyConsoleServiceRole-AmplifyRole.
Accept all the defaults and choose, Create role.
Return to the Amplify console to attach the role to your app.
- If you are in the process of deploying a new app, do the following:
  1. Refresh the list of service roles.
  2. Select the role you just created. For this example, it should look like AmplifyConsoleServiceRole-AmplifyRole
  3. Choose Next and follow the steps to complete your app deployment.
- If you have an existing app, do the following:
  1. In the navigation pane, choose App settings, then General settings.
  2. On the General settings page, choose Edit.
  3. On the Edit general settings page, select the role you just created from the Service role list.
  4. Choose Save.
The Amplify console now has permissions to deploy backend resources for your app.

Editing a role's trust policy to prevent confused deputy

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. For more information, see Cross-service confused deputy prevention.

Currently, the default trust policy for the Amplify-Backend Deployment service role enforces the aws:SourceArn and aws:SourceAccount global context condition keys to prevent against confused deputy. However, if you previously created an Amplify-Backend Deployment role in your account, you can update the role's trust policy to add these conditions to protect against confused deputy.

Use the following example to restrict access to apps in your account. Replace the Region and application ID in the example with your own information.


"Condition": {
      "ArnLike": {
        "aws:SourceArn": "arn:aws:amplify:us-east-1:123456789012:apps/*"
      },
      "StringEquals": {
        "aws:SourceAccount": "123456789012"
      }
    }

For instructions on editing the trust policy for a role using the AWS Management Console, see Modifying a role (console) in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Custom builds

Managing cache configuration