Permissions changes for AWS Mobile Hub
Until recently, when you created an AWS Mobile Hub project for the first time, you were asked to approve the addition of an IAM role to your account called AWSMobileHub_ServiceUseOnly. Mobile Hub used this role to take actions on the user’s behalf, and it had wide-ranging permissions to create, modify, and delete resources. A user that wanted to use Mobile Hub then only needed permissions to access Mobile Hub itself. Permission was provided by attaching the AWSMobileHub_FullAccess policy to a user, group, or role. But, this approach left account administrators with an inability to control specific permissions for users. They would either grant permission to use Mobile Hub (and, by proxy, the wide-ranging permissions of the service role for Mobile Hub)—or they would deny access to Mobile Hub altogether. There wasn’t anything in between.
Recent changes to the permissions policies within AWS Mobile Hub have changed this setting. This allows for more granular permissions for each user. Now, each user needs permissions for the operations they perform, regardless of whether those operations are being proxied through Mobile Hub. If a user doesn’t have the right permissions, an error message similar to the following appears:
If you own your account, you likely already have the right permissions because you probably granted yourself the AdministratorAccess policy or you’re signed in with the AWS Account credentials. However, if you’ve created a user for normal administrative actions that has more restrictive permissions, then you need to add this policy. In particular, if you created a user for the AWS Mobile command line interface (CLI), then you need to modify the AWSMobileCLI user with the new policy:
- Open the AWS IAM console.
- Choose Users from the left-hand menu.
- Choose the user in question (for example, AWSMobileCLI).
- Choose Add Permissions.
- Choose Attach existing policies directly.
- Type AdministratorAccess in the search box, then press Enter.
- Select the check box next to the policy, then choose Next: Review.
- Choose Add Permissions.
If you don’t own the account and only have access as a user with limited permissions, you might need to ask for more permissions. Obviously, the administrator of your AWS account might be reluctant to give you administrator access. However, there’s a solution. The administrator can use AWS Organizations to create a sub-account for you. This account allows the owning user to have a completely isolated set of AWS resources. It also allows the user to be granted appropriate permissions (that is, AdministratorAccess) to use those resources as they see fit.
You should ensure that the account can manage the appropriate types of resources. As a minimal set, you need access to the following services:
- Mobile Hub
- AWS CloudFormation
- Amazon CloudWatch
- Amazon S3
Each feature panel within Mobile Hub also requires access to underlying services. For example, Cloud Logic requires access to API Gateway and Lambda, while User Sign-in requires access to Amazon Cognito.
With this permissions change, Mobile Hub brings authorization control back to the account administrator and brings clarity about the permissions behind a service role. This one-time change will help you continue to enjoy the benefits of building mobile backends with Mobile Hub with clearer permissions parameters.