Until recently, when you first created an AWS Mobile Hub project, you were asked to approve the addition of an IAM role to your account to approve AWSMobileHub_ServiceUseOnly . Mobile Hub used this role to take actions on behalf of the user and had extensive permissions to create, modify and delete resources. A user who wanted to use Mobile Hub then only needed access to Mobile Hub itself. Permission was granted by linking the AWSMobileHub_FullAccess policy to a user, group or role. But this approach allowed account managers not to manage certain permissions for users. They would grant permission to use Mobile Hub (and, by proxy, the extended permissions of the Mobile Hub service role) – otherwise they would deny access to Mobile Hub altogether. There was nothing in between.
Recent changes to the authorization policy within AWS Mobile Hub have changed this setting. This allows for more granular permissions for each user. Now every user needs permissions for the edits they perform, regardless of whether those edits are proxied via Mobile Hub. If a user does not have the correct permissions, you receive an error message that resembles the following:
If you are the owner of your account, you probably already have the right permissions because you have probably given yourself the AdministratorAccess policy or if you are logged in with the AWS Account login details. However, if you have created a user for regular administrative actions with more limited permissions, you must add this policy. If, in particular, you have created a user for the AWS Mobile command-line interface (CLI), you must change the user's AWSMobileCLI with the new policy:
- Open the AWS IAM console.
- Select Users from the menu on the left.
- Select the relevant user (for example AWSMobileCLI).
- Select Add permissions .
- Choose Add existing policy directly .
- Type AdministratorAccess in the search box, and then press Enter.
- Select the checkbox next to the policy and then select Next: Review .
- Select Add permissions .
If you do not own the account and only have access as a user with limited permissions, you may need to request more permissions. It is clear that the administrator of your AWS account may be hesitant to give you administrator access. There is, however, a solution. The administrator can use AWS organizations to create a subaccount for you. With this account, the owner can have a fully insulated AWS source. It also gives the user the possibility to get the correct permissions (ie AdministratorAccess ) to use those sources as they see fit.
You must ensure that the account can manage the right types of resources. As a minimum set you need access to the following services:
- Mobile hub
- AWS CloudFormation
- Amazon CloudWatch
- Amazon S3
Each function panel within Mobile Hub also requires access to underlying services. For example, Cloud Logic requires access to API Gateway and Lambda, while login by user requires access to Amazon Cognito.
This authorization change brings Mobile Hub back authorization management to the account manager and provides clarity on the permissions behind a service role. With this one-time change, you can continue to benefit from the benefits of building Mobile Backends with Mobile Hub with clearer rights parameters.