Issue with Access control in AWS Amplify

[tranthang212]

To Reproduce
Steps to reproduce the behavior:

1. Go to Amplify Console
2. Click on Access control
3. Click button Manage access
4. Disable "Apply a global password - OFF"
5. Save

After performing the above steps, the password is still required to access the website
How to clear it?
I do not use any cache tool.
Does anyone have a problem like me?

[visusnet]

We are experiencing the same issue with branch-specific passwords. We have disabled them in the Amplify Console but users are asked regardlessly.

[visusnet]

@swaminator Is this something you could help with? Our production system is not usable at the moment which is ... a bummer...

Our Amplify App ID: d2026ifwonkk3h

[shiruba]

Just tried it - confirmed. When I add password protection to a branch and remove it after that, the domain still asks for a username/password via htaccess.

[dabit3]

@shiruba @visusnet @tranthang212 Thanks for the info and for reporting this issue. We're looking into it as we speak.

[0luftballoons]

I have the same problems. Existing login branches can't be changed, either by changing username + password or changing to publicly-accessible. New deployment branches are stuck with public access, can't configure for username + password

[swaminator]

@0luftballoons @shiruba @visusnet @tranthang212 we are rolling out a fix shortly. I'll update this thread when it's ready.

[swaminator]

@0luftballoons @shiruba @visusnet @tranthang212 the fix is rolled out. Please try updating the access control settings once more and let me know if it works.

[0luftballoons]

I think it mostly works. Took existing deployed branch (public access), and did the following access changes
public --> login required (ok) --> public (ok) --> login (nope, still public) --> change username, pw (get login, but can't login, maybe user error?) --> change username, pw (ok)

[0luftballoons]

I'd like to see what happens when deploying a new branch and then changing access to require login before the branch deploys, but I'm just about to start a real software release and don't want to cause any problems :)

[tranthang212]

@swaminator It worked. Thanks for the update.

[kieran9176]

Seems like this issue is back and I haven't yet been able to resolve it. @swaminator @dabit3 is this something you could help with?

Steps to recreate

1. create develop and production branches
2. apply global username/password
3. remove global username/password
4. apply develop branch-specific username/password
5. apply production branch-specific username/password
6. remove production branch-specific username/password

This is with a custom domain, production points to the root and develop points to develop.root.com.

The result is as if steps 3-6 had not been completed. The production branch still has a password and it's the global username/password combo that was created in step 2. Removing passwords from both branches doesn't work, neither does a redeploy of the whole app (both branches).

Any tips to get the production branch working in the short term? Or will I need to create a new branch and redirect my custom root domain to that?

[abhi7cr]

Hi @kieran9176,

Thanks for reporting. I will take a look and get back to you.

[BenSaus]

Any progress on this issue or work arounds? I have a site that needs to go into production soon and this could be a problem.

[mansiva]

Hello, we're facing the same issue.

I added access control individually per branch but password wasn't being asked for everyone, maybe due to caching. So I removed access control from all branches but password it still being asked a few hours after the change was made, does anyone know if there's a delay or something? I've tried clearing the local cache and using a different device in incognito but password is still being asked.

[mansiva]

In case anyone else has the issue I was able to resolve by setting a new password for the branches that had issues, waiting a bit (not sure if that's necessary) and then removing the password.

[Espen-Ellevseth]

I also have this problem. I've been trying to remove the Access Control by removing password in the Amplify Console. The password box still appears, however the password will no longer work. I've tried from a clean browser, same result.

Is there a timeline for fixing this problem?

[swaminator]

@Espen-Ellevseth @mansiva @BenSaus we are going to invesitgate this ASAP.

[alanpilloud]

I experienced the same issue today, this solved the issue for me :

1. clic "manage access"
2. restrict again the branch that has the issue
3. clear username and passwords fields
4. set again the branch to be publicly viewable then save

[Espen-Ellevseth]

I also managed to remove the password using @alanpilloud's procedure with the difference that my password was global.

What I did:

1. Turn off the global password
2. Set a branched password and save.
3. Remove the branched password using the procedure (Removing the text in username/password and setting public).

[abhi7cr]

@Espen-Ellevseth @mansiva @BenSaus @alanpilloud , we rolled out a fix recently for the above issue. Could you verify if it works on your end?

[alanpilloud]

@abhi7cr sorry for responding this late. I did not experienced this issue since then. Thanks a lot !

[mawhtin]

Annnnd it's back. Can we address this again? Our production site was to go live tomorrow but our testers are being pass-walled. @abhi7cr @swaminator

I've tried applying the branch specific PW then turning it off. No luck.

[vladimirsm]

@abhi7cr we are having the same issue as @mawhtin.
No luck with reapplying the passwords and removing them.

[abraly]

Any movement here?

[leonardof131]

I'm facing this exact issue on my amplify web app. Is this bug back ?

[brunoksato]

I have same issue today!

[ivadenis]

I experience this issue too!

[alexbahnean]

I have the same issue ..

[dewflowersp]

I have the same issue... facing too much trouble...

[alexbahnean]

I manager to fix The issue some how

I disabled the authentication from console (turn off global password and making sure that I game no password for the branch)

Then I made one new dummy commit
I pushed my code
And then I waited until the build was done on amplify console
Checked the website and the password was not there anymore

somehow this steps helped me bypass the issue

[gagharutyunyan1993]

Rebuild your branch after changing Access control, it will fix the issue.

[czetsuya]

Sadly I caught this bug right after a rebuild.

[ghost]

If you are running into this issue with an SSR Amplify app, please redeploy your application. This is necessary so that Amplify can apply the access control settings. Please refer to step 6 in the documentation: https://docs.aws.amazon.com/amplify/latest/userguide/access-control.html

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.