search

aws-amplify / amplify-backend

Home to all tools related to Amplify's code-first DX (Gen 2) for building fullstack apps on AWS
Apache License 2.0
176 stars 61 forks source link

sandbox failed deletion after prompt while using sso #888

Open josefaidt opened 10 months ago

josefaidt commented 10 months ago

Environment information

System:
    OS: macOS 14.2.1
    CPU: (10) arm64 Apple M1 Pro
    Memory: 890.36 MB / 32.00 GB
    Shell: 3.6.4 - /opt/homebrew/bin/fish
  Binaries:
    Node: 20.10.0 - ~/Library/Caches/fnm_multishells/77574_1680319338649/bin/node
    Yarn: 1.22.19 - ~/Library/Caches/fnm_multishells/77574_1680319338649/bin/yarn
    npm: 10.2.3 - ~/Library/Caches/fnm_multishells/77574_1680319338649/bin/npm
    pnpm: 8.14.0 - ~/Library/Caches/fnm_multishells/77574_1680319338649/bin/pnpm
    bun: 1.0.21 - ~/.bun/bin/bun
    Watchman: Not Found
  npmPackages:
    @aws-amplify/backend: ^0.8.0 => 0.8.0 
    @aws-amplify/backend-cli: ^0.9.3 => 0.9.3 
    aws-amplify: ^6.0.10 => 6.0.10 
    aws-cdk: Not Found
    aws-cdk-lib: Not Found
    typescript: ^5.3.3 => 5.3.3

Description

  1. run sandbox with an sso profile, AWS_PROFILE=mysso-profile npx amplify sandbox
  2. sign in to sso if you need to
  3. watch it deploy successfully
  4. leave it running for a while (probably until the sso session expires)
  5. ctrl+c to exit sandbox
  6. select Y to delete the sandbox
  7. observe re-auth for SSO
  8. after successful auth, cdk destroy fails (maybe it failed when I was prompted for sso auth)
Stack ARN:
arn:aws:cloudformation:us-east-1:814763596509:stack/amplify-20230108-josef-sandbox-323cc65af6/607c2430-ae71-11ee-944f-0a3fb48e5787

✨  Total time: 292.02s

[Sandbox] Running successfulDeployment event handlers
[Sandbox] Watching for file changes...
^C[Sandbox] Shutting down
? Would you like to delete all the resources in your sandbox environment (This cannot be 
undone)? y
[Sandbox] Deleting all the resources in the sandbox environment...
[Sandbox] Executing command `destroy`
amplify-20230108-josef-sandbox-323cc65af6: destroying... [1/1]

UnknownFault: Error: WARNING: owners may reassign ownership for the following model(s) and role(s): Todo: [owner]. If this is not intentional, you may want to apply field-level authorization rules to these fields. To read more: https://docs.amplify.aws/cli/graphql/authorization-rules/#per-user--owner-based-data-access.

 ❌  amplify-20230108-josef-sandbox-323cc65af6: destroy failed Error: Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
    at SdkProvider.resolveEnvironment (/Users/josef/Documents/projects/aws-amplify/reproductions/20230108/node_modules/aws-cdk/lib/index.js:384:14622)
    at async Deployments.prepareSdkFor (/Users/josef/Documents/projects/aws-amplify/reproductions/20230108/node_modules/aws-cdk/lib/index.js:424:7691)
    at async Deployments.destroyStack (/Users/josef/Documents/projects/aws-amplify/reproductions/20230108/node_modules/aws-cdk/lib/index.js:424:6793)
    at async CdkToolkit.destroy (/Users/josef/Documents/projects/aws-amplify/reproductions/20230108/node_modules/aws-cdk/lib/index.js:424:188487)
    at async exec4 (/Users/josef/Documents/projects/aws-amplify/reproductions/20230108/node_modules/aws-cdk/lib/index.js:479:53102)
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

p.s. I realized I have a credential_process in my AWS config for the sso profile which may be causing an issue

ykethan commented 10 months ago

on reproducing this ran into a bit of different error and wasn't reprompted to re-auth sso. image (12)

had to re-run aws sso login --profile, then start the sandbox and destroy the env. The credential_process may be difference in error message

Side note if i rerun sandbox with expired token; the To configure a new Amplify profile, use "npx amplify configure profile". may need to be changed

 npx amplify sandbox --profile amplify-sso-admin
Failed to load aws credentials for profile 'amplify-sso-admin': Token is expired. To refresh this SSO session run 'aws sso login' with the corresponding profile..
To configure a new Amplify profile, use "npx amplify configure profile".
josefaidt commented 10 months ago

had to re-run aws sso login --profile, then start the sandbox and destroy the env. The credential_process may be difference in error message

Ah yep that's probably why the messages are different

Side note if i rerun sandbox with expired token; the To configure a new Amplify profile, use "npx amplify configure profile". may need to be changed

agreed

ykethan commented 10 months ago

Marking as feature-request for error messaging improvements.

swaminator commented 9 months ago

We need to surface the same error we throw when the npx amplify sandbox is first run.

magisystem0408 commented 9 months ago

I'm try using sso login at gen2, but raised login error

Referenced links.

https://docs.amplify.aws/gen2/start/account-setup/#pageMain

my environment

  System:
    OS: macOS 12.5
    CPU: (20) arm64 Apple M1 Ultra
    Memory: 919.31 MB / 128.00 GB
    Shell: 3.6.0 - /opt/homebrew/bin/fish
  Binaries:
    Node: 18.17.0 - ~/.local/share/nvm/v18.17.0/bin/node
    Yarn: Not Found
    npm: 9.6.7 - ~/.local/share/nvm/v18.17.0/bin/npm
    pnpm: Not Found
    bun: Not Found
    Watchman: Not Found
  npmPackages:
    @aws-amplify/backend: ^0.10.3 => 0.10.3 
    @aws-amplify/backend-cli: ^0.10.0 => 0.10.0 
    aws-amplify: ^6.0.13 => 6.0.13 
    aws-cdk: ^2.124.0 => 2.124.0 
    aws-cdk-lib: ^2.124.0 => 2.124.0 
    typescript: ^5.3.3 => 5.3.3

setting my ~/.aws/config

 16 [sso-session test]
 17 sso_start_url = https://<MY-SSO-LINK>.awsapps.com/start
 18 sso_region = ap-northeast-1
 19 sso_registration_scopes = sso:account:access
 20  
 21 [profile test]
 22 sso_session = test
 23 sso_account_id = <I typed SSO_ACCOUNT_ID>
 24 sso_role_name = AWSAdministratorAccess
 25 region = ap-northeast-1
 26 output = json

when this config try to login using create sandbox environment, Failed AWS cred load error.

AWS_PROFILE=test npx amplify sandbox                                   (base) 
Failed to load default aws credentials: Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", "sso_role_name", "sso_start_url". Got sso_session, sso_account_id, sso_role_name, region, output
Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html.
To configure a new Amplify profile, use "npx amplify configure profile".
josefaidt commented 9 months ago

Hey @magisystem0408 below is my profile setup for SSO. The error seems a bit odd, but do you experience the same without the output set?

[profile josef-gen2]
sso_session = josef-gen2
sso_account_id = xxxxx
sso_role_name = AmplifySet
region = us-east-1
[sso-session josef-gen2]
sso_start_url = https://d-9067aede34.awsapps.com/start#
sso_region = us-east-1
sso_registration_scopes = sso:account:access
magisystem0408 commented 9 months ago

@josefaidt thank you feedback!!!. I tried without output = json. Result success and start create sandbox.

[profile josef-gen2]
sso_session = josef-gen2
sso_account_id = xxxxx
sso_role_name = AmplifySet
region = us-east-1
output = json //TODO: delete this property.

[sso-session josef-gen2]
sso_start_url = https://d-9067aede34.awsapps.com/start#
sso_region = us-east-1
sso_registration_scopes = sso:account:access
josefaidt commented 9 months ago

Ah glad to hear it @magisystem0408 ! 🚀