"Unable to assume specified IAM Role" after setting NextJS app up with CDK

[mattias-sanfridsson]

Environment information

> npm error could not determine executable to run.

Node: V22.12.0
NPM: 10.9.0
CDK: 2.174.1 (build f353fc7)
Region: eu-north-1 (have also tried us-east-1 with same result)

Describe the bug

I've been able to use CDK to set up my stack and app in Amplify. This created an IAM Role. The Trust relationships of the role looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "amplify.eu-north-1.amazonaws.com",
                    "amplify.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The role has the following permission policies added for testing purposes:

• AdministratorAccess
• AdministratorAccess-Amplify

My CDK setup looks like this:

const amplifyApp = new amplify.App(this, 'MyAmplifyApp', {
  appName: 'my-nextjs-app',
  sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
    owner: 'my-org',
    repository: 'nextjs-amplify-test',
    oauthToken: cdk.SecretValue.secretsManager('github-token', {jsonField: 'github-token'}),
  }),
  buildSpec: BuildSpec.fromObject({
    version: '1.0',
    frontend: {
      phases: {
        preBuild: {
          commands: ['npm ci'],
        },
        build: {
          commands: ['npm run build'],
        },
      },
      artifacts: {
        baseDirectory: '.next',
        files: ['**/*'],
      },
      cache: {
        paths: ['node_modules/**/*'],
      },
    },
  }),
});

// Add the main branch to the Amplify app
amplifyApp.addBranch('main');

When I push my code a deployment starts, but it fails on the provisioning step with the following error:

[ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
[INFO]: # Starting environment caching...
[INFO]: # Environment caching completed

Would be extremely thankful for any help. I've read through previous related issues but was unable to resolve this.

Reproduction steps

1. Create a basic NextJS app
2. Initiate CDK in the app with the TS stack provided above
3. Run cdk synth, cdk bootstrap and cdk deploy
4. Push a change to main
5. The deployment should fail

[Jay2113]

Hi @mattias-persson 👋 , thanks for reaching out to us. To deploy Amplify Gen 2 apps with branch-based deployments, you will need to use the AmplifyBackendDeployFullAccess managed policy to deploy backend resources during a fullstack deployment. The service role should also have the following trust relationship policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "amplify.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Documentation: https://docs.amplify.aws/react/reference/iam-policy/

[Jay2113]

Closing the thread as we have shared the necessary IAM managed policy guidance for deploying Gen 2 backend resources.

[viller]

Leaving this here because the solution took me a while to find.

My Amplify build/deployments were failing with the error message "Unable to assume specified IAM Role". The issue was the AWS Amplify Github App lost access to my Amplify Project's GitHub Repository.

Fix: In your GitHub Org, go to Settings > GitHub Apps > AWS Amplify and choose Configure. Review the settings in the section Repository Access. In my case, I had to re-add the repository.