amplify-cli `amplify init` says 🛑 Forbidden with no explanation

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.0.0

Amplify CLI Version

12.7.0

What operating system are you using?

Mac Sonoma 14.1 Beta

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

Following the online steps, I installed and setup the amplify CLI

Now when running amplify init I get a Forbidden error, though no information about what is wrong.

dacarson$ amplify init
? Enter a name for the project LynnCommunity
The following configuration will be applied:

Project information
| Name: LynnCommunity
| Environment: dev
| Default editor: Visual Studio Code
| App type: ios

? Initialize the project with the above configuration? No
? Enter a name for the environment dev
? Choose your default editor: Xcode (macOS only)
✔ Choose the type of app that you're building · ios
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use default
🛑 Forbidden

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 3651cf63-e2df-43bd-b280-a5a00233c602
dacarson$

Expected behavior

No error and I can go onto step (4) of the guide: https://docs.amplify.aws/lib/project-setup/create-application/q/platform/ios/#2-install-amplify-libraries

Reproduction steps

Follow instructions for project setup for a mac/xCode/Swift as documented here: https://docs.amplify.aws/lib/project-setup/prereq/q/platform/ios/

Project Identifier

dacarson$ amplify diagnose --send-report

Learn more at https://docs.amplify.aws/cli/reference/diagnose/ ⠋ Creating Zip No Amplify backend project files detected within this folder. ✖ Creating Zip dacarson$

Log output

2023-10-17T23:26:48.094Z|error : amplify-provider-awscloudformation.amplify-service-permission-check.checkAmplifyServiceIAMPermission.amplifyClient.listApps([])
InvalidSignatureException: Forbidden
2023-10-17T23:26:48.096Z|info : amplify-provider-awscloudformation.amplify-service-manager.init.amplifyClient.createApp([{"name":"[***]munity","environmentVariables":{"_LIVE_PACKAGE_UPDATES":"[{\"pkg\":\"@aws-amplify/cli\",\"type\":\"npm\",\"version\":\"latest\"}]"}}])
2023-10-17T23:26:48.367Z|error : Forbidden
ProjectInitFault: Forbidden
2023-10-17T23:31:00.827Z|info : amplify init core  
2023-10-17T23:31:00.879Z|info : @aws-amplify/amplify-cli-core.banner-message/index.ts.fetch banner messages from https://aws-amplify.github.io/amplify-cli/banner-message.json({}
2023-10-17T23:31:26.461Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileConfig(["default"])
2023-10-17T23:31:26.466Z|info : amplify-provider-awscloudformation.system-config-manager.getProfiledAwsConfig.profileConfig([{"region":"us-east-1"}])
2023-10-17T23:31:26.467Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileCredentials(["default"])
2023-10-17T23:31:26.480Z|info : amplify-provider-awscloudformation.amplify-service-permission-check.checkAmplifyServiceIAMPermission.amplifyClient.listApps([])
2023-10-17T23:31:26.783Z|error : amplify-provider-awscloudformation.amplify-service-permission-check.checkAmplifyServiceIAMPermission.amplifyClient.listApps([])
InvalidSignatureException: Forbidden
2023-10-17T23:31:26.785Z|info : amplify-provider-awscloudformation.amplify-service-manager.init.amplifyClient.createApp([{"name":"[***]munity","environmentVariables":{"_LIVE_PACKAGE_UPDATES":"[{\"pkg\":\"@aws-amplify/cli\",\"type\":\"npm\",\"version\":\"latest\"}]"}}])
2023-10-17T23:31:27.091Z|error : Forbidden
ProjectInitFault: Forbidden
2023-10-17T23:35:02.922Z|info : amplify version core  {"version":true,"yes":false}
2023-10-17T23:36:06.020Z|info : amplify init core  
2023-10-17T23:36:06.074Z|info : @aws-amplify/amplify-cli-core.banner-message/index.ts.fetch banner messages from https://aws-amplify.github.io/amplify-cli/banner-message.json({}
2023-10-17T23:36:18.960Z|info : amplify init core  
2023-10-17T23:36:19.010Z|info : @aws-amplify/amplify-cli-core.banner-message/index.ts.fetch banner messages from https://aws-amplify.github.io/amplify-cli/banner-message.json({}
2023-10-17T23:36:47.537Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileConfig(["default"])
2023-10-17T23:36:47.540Z|info : amplify-provider-awscloudformation.system-config-manager.getProfiledAwsConfig.profileConfig([{"region":"us-east-1"}])
2023-10-17T23:36:47.540Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileCredentials(["default"])
2023-10-17T23:36:47.551Z|info : amplify-provider-awscloudformation.amplify-service-permission-check.checkAmplifyServiceIAMPermission.amplifyClient.listApps([])
2023-10-17T23:36:47.702Z|error : amplify-provider-awscloudformation.amplify-service-permission-check.checkAmplifyServiceIAMPermission.amplifyClient.listApps([])
InvalidSignatureException: Forbidden
2023-10-17T23:36:47.703Z|info : amplify-provider-awscloudformation.amplify-service-manager.init.amplifyClient.createApp([{"name":"[***]munity","environmentVariables":{"_LIVE_PACKAGE_UPDATES":"[{\"pkg\":\"@aws-amplify/cli\",\"type\":\"npm\",\"version\":\"latest\"}]"}}])
2023-10-17T23:36:47.913Z|error : Forbidden
ProjectInitFault: Forbidden
2023-10-17T23:38:16.066Z|info : amplify version core  
2023-10-17T23:44:29.725Z|info : amplify diagnose core  {"send-report":true,"yes":false}
2023-10-17T23:44:29.772Z|info : @aws-amplify/amplify-cli-core.banner-message/index.ts.fetch banner messages from https://aws-amplify.github.io/amplify-cli/banner-message.json({}

Additional information

First time going through this.

Before submitting, please confirm:

[X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
[X] I have removed any sensitive information from my code snippets and submission.

Oct 17 '23 23:10 dacarson

Hey @dacarson :wave: thanks for raising this! As we begin to look at this in more depth I have a few follow-up questions/confirmations:

is the default user set up with the AdministratorAccess-Amplify managed policy?
if you run the same command with --debug does it print a stack trace with more details?

Oct 18 '23 00:10 josefaidt

Hey @dacarson 👋 thanks for raising this! As we begin to look at this in more depth I have a few follow-up questions/confirmations:

is the default user set up with the AdministratorAccess-Amplify managed policy?

Yes. I used what was shown in the 'Retrieve access keys' section of: https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli

if you run the same command with --debug does it print a stack trace with more details?

? Please choose the profile you want to use default
🛑 Forbidden

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

ProjectInitFault: Forbidden
    at init (/snapshot/amplify-cli/build/node_modules/@aws-amplify/amplify-provider-awscloudformation/lib/amplify-service-manager.js:163:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.run (/snapshot/amplify-cli/build/node_modules/@aws-amplify/amplify-provider-awscloudformation/lib/initializer.js:96:9)

Forbidden
InvalidSignatureException: Forbidden
    at Object.extractError (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/protocol/json.js:80:27)
    at Request.extractError (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8)
    at Request.callListeners (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /snapshot/amplify-cli/build/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
    at Request.emit (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /snapshot/amplify-cli/build/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
    at callNextListener (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
    at IncomingMessage.onEnd (/snapshot/amplify-cli/build/node_modules/aws-sdk/lib/event_listeners.js:417:13)
    at IncomingMessage.emit (node:events:525:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

Oct 18 '23 01:10 dacarson

Is there any other way to build the json files? I am blocked on application development right now.

Oct 18 '23 16:10 dacarson

FWIW, I tried amplify configure again, and this time didn't use the default name for the profile. This time I set it as aws-profile. I then tried amplify init again. It listed both profile and aws-profile, I selected the later. But it still gave me the same error with the same backtrace as above.

Oct 18 '23 16:10 dacarson

I found the issue. The secretAccessKey had a ~ at the beginning and at the end. eg ~ierfgweiopgfjr;iogjq;riogj~ when the key was actually ierfgweiopgfjr;iogjq;riogj. The tilde only appeared when pasting into the script in the console. If I paste to Notes, TextEdit or another terminal, I don't get the tilde prefix and suffix. I found it by looking through the hidden files under .aws and compared the access key Id and the secret Access Key to what I pasted into other windows. It would be helpful if the error message was useful, rather than just being told 'Forbidden'

Oct 18 '23 17:10 dacarson

Hey @dacarson glad to hear you've found the cause for this and are back up and running! And to your note I agree this error message can be improved. I'll mark this as a feature request to improve the messaging

Oct 18 '23 22:10 josefaidt

Moving to bug to improve error messaging.

Oct 25 '23 20:10 ykethan

So I am experiencing this issue right now. From what I read the issue is caused by providng the wrong secret access key for the amplify cli. Also I am not sure if this matters but does being an IAM user have any impact on this?

May 23 '24 21:05 BigBen3

I would like to work on this issue. Could you assign it to me?

May 04 '25 18:05 tomodahinata