Initial build fails: unable to access CodeCommit repository

[shanab]

I was following the workshop steps, and after I was done with Static Web Hosting > Deploy, I found out that the build step failed in the deployment.
After further investigation, I found out that the permission policy attached to the Amplify IAM role is not configured to use CodeCommit.

JSON for IAM Policy for reference.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "CLICloudformationPolicy",
          "Effect": "Allow",
          "Action": [
              "cloudformation:CreateChangeSet",
              "cloudformation:CreateStack",
              "cloudformation:DeleteStack",
              "cloudformation:DescribeChangeSet",
              "cloudformation:DescribeStackEvents",
              "cloudformation:DescribeStackResource",
              "cloudformation:DescribeStackResources",
              "cloudformation:DescribeStacks",
              "cloudformation:ExecuteChangeSet",
              "cloudformation:GetTemplate",
              "cloudformation:UpdateStack",
              "cloudformation:ListStackResources"
          ],
          "Resource": [
              "arn:aws:cloudformation:*:*:stack/amplify-*"
          ]
      },
      {
          "Sid": "CLIManageviaCFNPolicy",
          "Effect": "Allow",
          "Action": [
              "iam:ListRoleTags",
              "iam:TagRole",
              "iam:AttachRolePolicy",
              "iam:CreatePolicy",
              "iam:DeletePolicy",
              "iam:DeleteRole",
              "iam:DeleteRolePolicy",
              "iam:DetachRolePolicy",
              "iam:PutRolePolicy",
              "iam:UpdateRole",
              "iam:GetRole",
              "iam:GetPolicy",
              "iam:GetRolePolicy",
              "iam:PassRole",
              "iam:ListPolicyVersions",
              "iam:CreatePolicyVersion",
              "iam:DeletePolicyVersion",
              "iam:CreateRole",
              "iam:ListRolePolicies",
              "iam:PutRolePermissionsBoundary",
              "iam:DeleteRolePermissionsBoundary",
              "appsync:CreateApiKey",
              "appsync:CreateDataSource",
              "appsync:CreateFunction",
              "appsync:CreateResolver",
              "appsync:CreateType",
              "appsync:DeleteApiKey",
              "appsync:DeleteDataSource",
              "appsync:DeleteFunction",
              "appsync:DeleteResolver",
              "appsync:DeleteType",
              "appsync:GetDataSource",
              "appsync:GetFunction",
              "appsync:GetIntrospectionSchema",
              "appsync:GetResolver",
              "appsync:GetSchemaCreationStatus",
              "appsync:GetType",
              "appsync:GraphQL",
              "appsync:ListApiKeys",
              "appsync:ListDataSources",
              "appsync:ListFunctions",
              "appsync:ListGraphqlApis",
              "appsync:ListResolvers",
              "appsync:ListResolversByFunction",
              "appsync:ListTypes",
              "appsync:StartSchemaCreation",
              "appsync:UpdateApiKey",
              "appsync:UpdateDataSource",
              "appsync:UpdateFunction",
              "appsync:UpdateResolver",
              "appsync:UpdateType",
              "appsync:TagResource",
              "appsync:CreateGraphqlApi",
              "appsync:DeleteGraphqlApi",
              "appsync:GetGraphqlApi",
              "appsync:ListTagsForResource",
              "appsync:UpdateGraphqlApi",
              "apigateway:DELETE",
              "apigateway:GET",
              "apigateway:PATCH",
              "apigateway:POST",
              "apigateway:PUT",
              "cognito-idp:CreateUserPool",
              "cognito-identity:CreateIdentityPool",
              "cognito-identity:DeleteIdentityPool",
              "cognito-identity:DescribeIdentity",
              "cognito-identity:DescribeIdentityPool",
              "cognito-identity:SetIdentityPoolRoles",
              "cognito-identity:GetIdentityPoolRoles",
              "cognito-identity:UpdateIdentityPool",
              "cognito-idp:CreateUserPoolClient",
              "cognito-idp:DeleteGroup",
              "cognito-idp:DeleteUserPool",
              "cognito-idp:DeleteUserPoolClient",
              "cognito-idp:DescribeUserPool",
              "cognito-idp:DescribeUserPoolClient",
              "cognito-idp:ListTagsForResource",
              "cognito-idp:ListUserPoolClients",
              "cognito-idp:UpdateUserPoolClient",
              "cognito-idp:CreateGroup",
              "cognito-idp:DeleteGroup",
              "cognito-identity:TagResource",
              "cognito-idp:TagResource",
              "cognito-idp:UpdateUserPool",
              "lambda:AddPermission",
              "lambda:CreateFunction",
              "lambda:DeleteFunction",
              "lambda:GetFunction",
              "lambda:GetFunctionConfiguration",
              "lambda:InvokeAsync",
              "lambda:InvokeFunction",
              "lambda:RemovePermission",
              "lambda:UpdateFunctionCode",
              "lambda:UpdateFunctionConfiguration",
              "lambda:ListTags",
              "lambda:TagResource",
              "lambda:UntagResource",
              "lambda:DeleteFunction",
              "lambda:AddLayerVersionPermission",
              "lambda:CreateEventSourceMapping",
              "lambda:DeleteEventSourceMapping",
              "lambda:DeleteLayerVersion",
              "lambda:GetEventSourceMapping",
              "lambda:GetLayerVersion",
              "lambda:ListEventSourceMappings",
              "lambda:ListLayerVersions",
              "lambda:PublishLayerVersion",
              "lambda:RemoveLayerVersionPermission",
              "dynamodb:CreateTable",
              "dynamodb:DeleteItem",
              "dynamodb:DeleteTable",
              "dynamodb:DescribeContinuousBackups",
              "dynamodb:DescribeTable",
              "dynamodb:DescribeTimeToLive",
              "dynamodb:ListStreams",
              "dynamodb:PutItem",
              "dynamodb:TagResource",
              "dynamodb:ListTagsOfResource",
              "dynamodb:UpdateContinuousBackups",
              "dynamodb:UpdateItem",
              "dynamodb:UpdateTable",
              "dynamodb:UpdateTimeToLive",
              "s3:CreateBucket",
              "s3:ListBucket",
              "s3:PutBucketAcl",
              "s3:PutBucketCORS",
              "s3:PutBucketNotification",
              "s3:PutBucketPolicy",
              "s3:PutBucketWebsite",
              "s3:PutObjectAcl",
              "cloudfront:CreateCloudFrontOriginAccessIdentity",
              "cloudfront:CreateDistribution",
              "cloudfront:DeleteCloudFrontOriginAccessIdentity",
              "cloudfront:DeleteDistribution",
              "cloudfront:GetCloudFrontOriginAccessIdentity",
              "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
              "cloudfront:GetDistribution",
              "cloudfront:GetDistributionConfig",
              "cloudfront:TagResource",
              "cloudfront:UntagResource",
              "cloudfront:UpdateCloudFrontOriginAccessIdentity",
              "cloudfront:UpdateDistribution",
              "events:DeleteRule",
              "events:DescribeRule",
              "events:ListRuleNamesByTarget",
              "events:PutRule",
              "events:PutTargets",
              "events:RemoveTargets",
              "mobiletargeting:GetApp",
              "kinesis:AddTagsToStream",
              "kinesis:CreateStream",
              "kinesis:DeleteStream",
              "kinesis:DescribeStream",
              "kinesis:PutRecords",
              "es:AddTags",
              "es:CreateElasticsearchDomain",
              "es:DeleteElasticsearchDomain",
              "es:DescribeElasticsearchDomain",
              "s3:PutEncryptionConfiguration"
          ],
          "Resource": "*",
          "Condition": {
              "ForAnyValue:StringEquals": {
                  "aws:CalledVia": [
                      "cloudformation.amazonaws.com"
                  ]
              }
          }
      },
      {
          "Sid": "CLISDKCalls",
          "Effect": "Allow",
          "Action": [
              "appsync:GetIntrospectionSchema",
              "appsync:GraphQL",
              "appsync:UpdateApiKey",
              "appsync:ListApiKeys",
              "s3:PutObject",
              "s3:GetObject",
              "s3:ListBucket",
              "s3:ListBucketVersions",
              "s3:DeleteBucket",
              "s3:DeleteBucketPolicy",
              "s3:DeleteBucketWebsite",
              "s3:DeleteObject",
              "s3:DeleteObjectVersion",
              "s3:GetBucketLocation",
              "s3:ListAllMyBuckets",
              "amplify:*",
              "amplifybackend:*",
              "sts:AssumeRole",
              "mobiletargeting:*",
              "cognito-idp:AdminAddUserToGroup",
              "cognito-idp:AdminCreateUser",
              "cognito-idp:CreateGroup",
              "cognito-idp:DeleteGroup",
              "cognito-idp:DeleteUser",
              "cognito-idp:ListUsers",
              "cognito-idp:AdminGetUser",
              "cognito-idp:ListUsersInGroup",
              "cognito-idp:AdminDisableUser",
              "cognito-idp:AdminRemoveUserFromGroup",
              "cognito-idp:AdminResetUserPassword",
              "cognito-idp:AdminListGroupsForUser",
              "cognito-idp:ListGroups",
              "cognito-idp:AdminDeleteUser",
              "cognito-idp:AdminListUserAuthEvents",
              "cognito-idp:AdminDeleteUser",
              "cognito-idp:AdminConfirmSignUp",
              "cognito-idp:AdminEnableUser",
              "cognito-idp:AdminUpdateUserAttributes",
              "cognito-idp:DescribeIdentityProvider",
              "cognito-idp:DescribeUserPool",
              "cognito-idp:DeleteUserPool",
              "cognito-idp:DescribeUserPoolClient",
              "cognito-idp:CreateUserPool",
              "cognito-idp:CreateUserPoolClient",
              "cognito-idp:UpdateUserPool",
              "cognito-idp:AdminSetUserPassword",
              "cognito-idp:ListUserPools",
              "cognito-idp:ListUserPoolClients",
              "cognito-identity:GetIdentityPoolRoles",
              "cognito-identity:SetIdentityPoolRoles",
              "cognito-identity:CreateIdentityPool",
              "cognito-identity:DeleteIdentityPool",
              "cognito-identity:ListIdentityPools",
              "cognito-identity:DescribeIdentityPool",
              "dynamodb:DescribeTable",
              "lambda:GetFunction",
              "lambda:CreateFunction",
              "lambda:AddPermission",
              "lambda:DeleteFunction",
              "iam:PutRolePolicy",
              "iam:CreatePolicy",
              "iam:AttachRolePolicy",
              "iam:ListPolicyVersions",
              "iam:ListAttachedRolePolicies",
              "iam:CreateRole",
              "iam:PassRole",
              "iam:ListRolePolicies",
              "iam:DeleteRolePolicy",
              "iam:CreatePolicyVersion",
              "iam:DeletePolicyVersion",
              "iam:DeleteRole",
              "cloudformation:ListStacks",
              "sns:CreateSMSSandboxPhoneNumber",
              "sns:GetSMSSandboxAccountStatus",
              "sns:VerifySMSSandboxPhoneNumber",
              "sns:DeleteSMSSandboxPhoneNumber",
              "sns:ListSMSSandboxPhoneNumbers",
              "sns:ListOriginationNumbers"
          ],
          "Resource": "*"
      },
      {
          "Sid": "AmplifySSMCalls",
          "Effect": "Allow",
          "Action": [
              "ssm:PutParameter",
              "ssm:DeleteParameter",
              "ssm:GetParametersByPath",
              "ssm:GetParameters",
              "ssm:GetParameter",
              "ssm:DeleteParameters"
          ],
          "Resource": "arn:aws:ssm:*:*:parameter/amplify/*"
      }
  ]
}

After attaching AWSCodeCommitReadOnly to the Amplify Service Role, the build phase was able to clone the repo.