handle not authorized to perform on resource error (#2258)

* handle not authorized to perform on resource error

* add resource to resolution

Author: rtpascual

.changeset/slimy-sheep-wonder.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-deployer': patch
+---
+
+handle not authorized to perform on resource error

packages/backend-deployer/src/cdk_error_mapper.test.ts

@@ -399,6 +399,13 @@ npm error A complete log of this run can be found in: /home/some-path/.npm/_logs
     errorName: 'InvalidPackageJsonError',
     expectedDownstreamErrorMessage: undefined,
   },
+  {
+    errorMessage: `Error: some-stack failed: ValidationError: User: <escaped ARN> is not authorized to perform: ssm:GetParameters on resource: <escaped ARN> because no identity-based policy allows the ssm:GetParameters action`,
+    expectedTopLevelErrorMessage:
+      'Unable to deploy due to insufficient permissions',
+    errorName: 'AccessDeniedError',
+    expectedDownstreamErrorMessage: undefined,
+  },
 ];
 
 void describe('invokeCDKCommand', { concurrency: 1 }, () => {

packages/backend-deployer/src/cdk_error_mapper.ts

@@ -40,12 +40,18 @@ export class CdkErrorMapper {
         if (matchGroups.groups) {
           for (const [key, value] of Object.entries(matchGroups.groups)) {
             const placeHolder = `{${key}}`;
-            if (matchingError.humanReadableErrorMessage.includes(placeHolder)) {
+            if (
+              matchingError.humanReadableErrorMessage.includes(placeHolder) ||
+              matchingError.resolutionMessage.includes(placeHolder)
+            ) {
               matchingError.humanReadableErrorMessage =
                 matchingError.humanReadableErrorMessage.replace(
                   placeHolder,
                   value
                 );
+
+              matchingError.resolutionMessage =
+                matchingError.resolutionMessage.replace(placeHolder, value);
               // reset the stderr dump in the underlying error
               underlyingError = undefined;
             }
@@ -205,6 +211,16 @@ export class CdkErrorMapper {
       errorName: 'GetLambdaLayerVersionError',
       classification: 'ERROR',
     },
+    {
+      errorRegex:
+        /User:(.*) is not authorized to perform:(.*) on resource:(?<resource>.*) because no identity-based policy allows the (?<action>.*) action/,
+      humanReadableErrorMessage:
+        'Unable to deploy due to insufficient permissions',
+      resolutionMessage:
+        'Ensure you have permissions to call {action} for {resource}',
+      errorName: 'AccessDeniedError',
+      classification: 'ERROR',
+    },
     {
       // Also extracts the first line in the stack where the error happened
       errorRegex: new RegExp(