"...is not autho rized to perform: amplify:UpdateBranch on resource..."

[myyrakle]

cdk deploy CustomAmplifyDistributionStack

I tried creating a cloudfront resource in the existing amplify resource using the above command.

condition

1. I tried from cloudshell in an account with administrator privileges.
2. Region of amplify = ap-northeast-2, region of cloudshell = ap-northeast-2

However, the following error occurs.

9:43:26 AM | CREATE_FAILED        | Custom::AWS                         | rAmplifyAppBranchUpdate54EFE0C4
Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::...:assumed-role/CustomAmpli
fyDistribution-AWS679f53fac002430cb0da5b-.../CustomAmplifyDistribution-AWS679f53fac002430cb0da5-... is not autho
rized to perform: amplify:UpdateBranch on resource: arn:aws:amplify:ap-northeast-2:...:apps/d3860rfifxkhz/branches/deploy
/dev (RequestId: b30cb0d7-0df4-4ffb-a35a-e01683fc9f43)

I'm not sure what caused the error. How can I solve this?

[myyrakle]

I found the cause.
When the branch name is something like "deploy/dev", an error occurs because of the slash.

This is the code in question:

        app_branch_update = custom.AwsCustomResource(
            self,
            "rAmplifyAppBranchUpdate",
            policy=custom.AwsCustomResourcePolicy.from_sdk_calls(
                resources=[
                    f"arn:aws:amplify:{Aws.REGION}:{Aws.ACCOUNT_ID}:apps/{app_id}/branches/{quote(branch_name, safe='')}",
                ]
            ),

Modification as below will solve the problem.

        app_branch_update = custom.AwsCustomResource(
            self,
            "rAmplifyAppBranchUpdate",
            policy=custom.AwsCustomResourcePolicy.from_sdk_calls(
                resources=[
                    f"arn:aws:amplify:{Aws.REGION}:{Aws.ACCOUNT_ID}:apps/{app_id}/branches/{branch_name}",
                ]
            ),