Amplify push fails on IAM permissions (yes I have read and followed your Wiki & docs). Please help!

[armenr]

Describe the bug
Amplify push fails when adding amplify video category.

To Reproduce
Steps to reproduce the behavior:

1. npm i amplify-category-video -g
2. amplify add video

╰─ amplify add video
? Please select from one of the below mentioned services: Video-On-Demand
? Provide a friendly name for your resource to be used as a label for this category in the project: myvodstreams
? Select a system-provided encoding template, specify an already-created template name:  Default HLS Adaptive Bitrate
? Is this a production enviroment? Yes
? Do you want to protect your content with signed urls? No
? Do you want Amplify to create a new GraphQL API to manage your videos? (Beta) No
✔ All resources built.

3. amplify push

4. ERROR

CREATE_FAILED JobTemplate                                                                                         AWS::MediaConvert::JobTemplate Fri Apr 16 2021 17:45:23 GMT-0700 (Pacific Daylight Time) User: arn:aws:sts::<REDACTED_ACCOUNT>:assumed-role/us-west-2_![Screen Shot 2021-04-16 at 5 56 39 PM](https://user-images.githubusercontent.com/7662191/115097127-2de6e600-9edd-11eb-9e11-06c397401379.png)/amplifyadmin is not authorized to perform: mediaconvert:DescribeEndpoints on resource: arn:aws:mediaconvert:us-west-2:<REDACTED_ACCOUNT>:endpoints/* (Service: MediaConvert; Status Code: 403; Error Code: AccessDeniedException; Request ID: 01e1568c-da9a-4d21-87e1-b85751c6c358; Proxy: null)
CREATE_FAILED amplify-amplifirestaging-cristina-15905-videomyvodstreams-CD76ST-rMediaConvertTemplate-1LOZXYC78K7K AWS::CloudFormation::Stack     Fri Apr 16 2021 17:45:24 GMT-0700 (Pacific Daylight Time) The following resource(s) failed to create: [JobTemplate].

Expected behavior
Expected behavior would be: "Resources built/deployed successfully"

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: OSX 11.2.3 (20D91)
• Browser: N/A
• Amplify-CLI version: amplify --version ---> 4.48.0

Additional context

• Each of these backends has Admin UI enabled on them...don't know if that's relevant or not.

• Service role configured for the Amplify App: "AmplifyBackendDeployment" -->
  

Here's what's really confusing me:

Following resources failed

Resource Name: JobTemplate (AWS::MediaConvert::JobTemplate)
Event Type: create
Reason: User: arn:aws:sts::<REDACTED_ACCOUNT>:assumed-role/us-west-2_0dnmPmHoR_Full-access/amplifyadmin is not authorized to perform: mediaconvert:DescribeEndpoints on resource: arn:aws:mediaconvert:us-west-2:<REDACTED_ACCOUNT>:endpoints/* (Service: MediaConvert; Status Code: 403; Error Code: AccessDeniedException; Request ID: 01e1568c-da9a-4d21-87e1-b85751c6c358; Proxy: null)

Looks like something, somewhere, is attempting to assume a role that's got insufficient privileges! So, I went into IAM and looked for that role, and found it:

As you can see, this role does not have sufficient privileges to access secretsmanager OR mediaconvert (as described in the amplify-video repo Wiki page for "IAM").

                "mediaconvert:*",
                "secretsmanager:*",

Problems:

1. I am kinda new to Amplify, so I have no idea WHAT created this role "0dnmPmHoR_Full-access/amplifyadmin"
2. I have no clue how to fix this without MANUALLY editing the role and policy. That is to say, I can easily go in and amend the permissions through the IAM console, but that doesn't solve the problem at scale/operationally...that is to say, I couldn't go in and manually make these changes for every single backend or app/environment I create, every single time. What is the correct way to achieve this?

Any help would be much appreciated. Thank you! :)

[armenr]

Update:

If you are using amplify admin UI as your means of authentication, THAT creates this unexpected behavior. That is to say, maybe the docs should reflect the fact that using this plugin/successfully pushing the resources it creates is ONLY achievable when you are using a named AWS profile OR access key/secret key...Amplify Admin UI won't allow it because the admin UI creates that stupid role with the missing permissions, and will throw errors every bloody time.

[wizage]

Yeah this is a common occurrence. I will try to see what the console team can do to make this process smoother. We have seen this issue crop up before:

#175
#216

Going to keep this ticket open and work with @renebrandel to see what we can do to help users with this!

[wizage]

Also updated wiki with this answer for future reference answer can be found here:
https://github.com/awslabs/amplify-video/wiki/Troubleshooting

[armenr]

@wizage - YOU, sir, are a scholar and a gentleman. I thank you for swift response and help :)

I will look into the issues you referenced. This is great stuff to know, and I am most grateful!