Cross-Account ( profile ) Support - Duplicate

[LXensen]

I'm still not able to init the project as per #113

I'm able to invoke AWS cli for mobile and see the projects listed in my other profile but I can't seem to init the backend.

$ aws mobile list-projects --profile MyCrossAccountAccessProfile
{
    "projects": [
        {
            "projectId": “<project_b_id>”, 
            "name": “PROJEC_NAME”
        }
    ]
}

$ awsmobile configure aws --profile MyCrossAccountAccessProfile

configure aws
Setting awsmobile-cli to use named profile: MyCrossAccountAccessProfile

Done

$ awsmobile init <project_b_id>

this project's backend is currently set to be <project_a>
with mobile project id = <project_a_id>
and was initialized at 2018-05-01-17-46-04
? switch backend to awsmobile project with id = project_b_id Yes
init will now try to switch to the newly specified backend

failed to link to backend awsmobile project with id = <project_b_id>
{ NotFoundException: No such project exists : <project_b_id>
   .
   .
  message: 'No such project exists : <project_b_id>',
  code: 'NotFoundException',
 }

I also tried

$ export AWS_PROFILE=MyCrossAccountAccessProfile

per the AWS CLI docs but no luck.

my ~/.aws/config

[default]
region = us-east-1
output = json

[profile MyCrossAccountAccessProfile]
role_arn = arn:aws:iam::*****************:role/MyCrossAccountAccessProfile
region = us-east-1
source_profile = default

and ~/.aws/credentials

[default]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey

[MyCrossAccountAccessProfile]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey

[UnleashedMind]

One possible cause that I can think of is you haven't set the general configuration correctly. Please cd to your workspace and follow these steps to find out:

1. $ mkdir newEmptyDir
2. $ cd newEmptyDir
3. $ awsmobile configure aws --list

The awsmobile-cli will list the general configuration what will be used when the next init command is executed. Please check if it is the profile MyCrossAccountAccessProfile

[LXensen]

It is using MyCrossAccountAccessProfile, not my default profile

awsmobile configure aws --list

IsUsingProfile: true
ProfileName: MyCrossAccountAccessProfile

{ accessKeyId: '*********************',
  secretAccessKey: '*************************',
  region: 'us-east-1' }

I did create the entry for the 'MyCrossAccountAccessProfile' profile manually; meaning I opened the credentials and config files and just added the values.

[UnleashedMind]

Thanks. The awsmobile-cli currently does NOT support assuming roles. When you execute aws mobile list-projects --profile MyCrossAccountAccessProfile, and your profile has role-arn and source-profile, the aws-cli will assume role and then use the assumed role to access the the aws. But when you configure awsmobile-cli with a profile name, the awsmobile-cli only picks the keys and the region from the two files and then use them to access the aws. Hence the difference. Since you are using cross account access, I guess the keys you put there does not has access permission to the mobile-hub. I will mark this as a feature request.

[LXensen]

I'm not sure what you mean by the keys not having access. There is only one set of keys, AccountA's keys. I set it up according to https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

I was following you right up until then. Maybe I'm not using the correct terminology. Let me explain...

I have created an application, ApplicationA, in Mobile Hub using my AWS account, AccountA. This application is actually for a client but I started it under my AWS account ( AccountA ). Now I'm trying to 'migrate' the code to his account since I am consuming my AWS resources. My client has created a role (MyCrossAccountAccessProfile) in his AWS account, AccountB, and granted my AWS account ( AccountA ) access. When I log into AWS using my account ( AccountA) I am able to assume the MyCrossAccountAccessProfile role. When I am assuming that role I am able access the AWS Mobile Hub console of AccountB.

So you're saying it's a limitation of the awsmobile-cli ( hence the feature-request tag )?

[UnleashedMind]

Yes, it's a limitation of the awsmobile-cli, currently it does not support assuming roles for cross account aws access.

[LXensen]

Understood. Thanks