search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 819 forks source link

Cannot read property 'accessKeyId' of undefined, after latest update #10367

Closed adcanis closed 1 year ago

adcanis commented 2 years ago

Before opening, please confirm:

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

17.7.1

Amplify CLI Version

8.1.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

N/A

Amplify Categories

auth, api

Amplify Commands

pull, push, status

Describe the bug

After running aws-vault exec foo When performing an amplify command, error Failed to get profile: Cannot read property 'accessKeyId' of undefined presents itself.

If I remove aws-vault, and create a credentials file in my ~/.aws folder and add the credentials there, I get a different error: Name: ResourceNotFoundException : Message: User pool **-******-******** does not exist.

Expected behavior

The command(s) should work

Reproduction steps

Using AWS-VAULT

  1. aws-vault exec foo All commands there after present error

GraphQL schema(s)

```graphql # Put schemas below this line ```

Log output

``` # Put your logs below this line ```

Additional information

No response

josefaidt commented 2 years ago

Hey @adcanis :wave: when using the AWS credentials and config files, can you confirm the region is set to the region which the Amplify app is deployed to?

adcanis commented 2 years ago

@josefaidt yes everything is there. I did run aws configure when removing aws-vault and using the credentials file. But there is not [default] listed in either file

josefaidt commented 2 years ago

Hey @adcanis thanks for the clarification! In your amplify app's directory what Amplify CLI command are you executing to receive the "user pool ... does not exist" error? Is this on push?

adcanis commented 2 years ago

@josefaidt it doesn't matter what command, even status.

adcanis commented 2 years ago

@josefaidt I should add... if I run aws configure list I have a profile with no set profile name. This profile doesn't exist in my credentials or my config file but is listed when the command above is run. I think this may be the undefined item that is being referenced when error Failed to get profile: Cannot read property 'accessKeyId' of undefined is given when using aws-vault. What is the weird part, is when a credentials file was created and aws-vault was removed, it threw the cognito user pool error instead. Also, when aws configure list-profiles i only have the expected profiles My profile structure looks like so ` [profile foo] region=ca-central-1 output=json

[profile foo-dev] source_profile=foo region=ca-central-1 role_arn=arn:aws:iam::*****:role/app-foo-dev

This repeats for qa, prod `

josefaidt commented 2 years ago

Hey @adcanis based on the error for "Cognito does not exist" it appears the Amplify CLI is successfully authenticating however is not able to find the resource in the specified account and region. If this is an existing project you have locally, is it possible the amplify/.config/local-aws-info.json file is pointing to a unintended profile for this environment?

{
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "default"
  }
}
adcanis commented 2 years ago

@josefaidt thats just it. Everything is as it should be. Project works as expected, user pool authentication works and all that. I did a bit of updates to the schema today in regards to some resolvers, went to push, updated the cli and then this error

josefaidt commented 2 years ago

Hey @adcanis can you confirm the Cognito User Pool ID shown in amplify/backend/amplify-meta.json at auth.<resource-name>.output.UserPoolId matches that of which we are seeing in the Console?

adcanis commented 2 years ago

@josefaidt my file inside the backend/auth/appname is parameters.json which shows the following { "authSelections": "userPoolOnly", "resourceName": "****************", "serviceType": "imported", "region": "ca-central-1", "authProvidersUserPool": [], "requiredAttributes": [], "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [ "Requires Lowercase", "Requires Uppercase", "Requires Numbers", "Requires Symbols" ], "mfaConfiguration": "OPTIONAL", "autoVerifiedAttributes": [ "email" ], "mfaTypes": [ "SMS Text Message", "TOTP" ] }

This was the order in my commands prior to the error:

amplify status no error was received. seen the update to the cli and ran the update before pushing the change should of pushed before

then I ran amplify api gql-compile without issue

went to run amplify push -y and received the first error about failed to get accesskeyId. Thats when I unset aws_vault, and exec'd with the credentials as usual. Ran amplify push -y again and received the same error. After unsetting my aws_vault again, I created the credentials file and added the credentials there which then threw the cognito error

josefaidt commented 2 years ago

Hey @adcanis thanks for the clarification! I was looking to see if we potentially have a mismatch of Cognito ID's in our local copy versus what we're seeing in the AWS Console for Cognito. Do you also have a supplemental ~/.aws/config that specifies the intended regions for the profiles?

adcanis commented 2 years ago

So the ~/.aws/configlooks like this

`

[profile foo ] output=json region=ca-central-1

[profile foo-dev] source_profile=foo role_arn=arn:aws:iam::[AWS_ACCOUNT_NUMBER]:role/foo-dev-admin `

And so on with the subsequent profiles. Keep in mind, I wasn't using a credentials file until this error, I was using AWS-vault to set my credentials without issue.

josefaidt commented 2 years ago

Hey @adcanis to clarify further are you attempting to use temporary credentials with the Amplify CLI?

adcanis commented 2 years ago

That's how I've always done it yes. At least with this project specifically

m98 commented 2 years ago

I have the same issue. I try to pull and I get the Cannot read property 'accessKeyId' of undefined error! image

I tried to change the credentials with a new one by running amplify configure, and new credintials did not help either!

adcanis commented 2 years ago

@m98 dis you update to the latest cli as well?

I've even deleted my ~/Library/Keychains/aws-vault.keychainand re-added everything and still get the same error

m98 commented 2 years ago

Yes. I use version 8.1.0 which is the latest version on NPM.

m98 commented 2 years ago

For me, the problem was solved when I deleted the amplify directory and the aws-exports.js. (I think only deleting the amplify directory should be enough)

adcanis commented 2 years ago

@m98 Good to know. I will try that today and do a pull. Just to confirm, are you running aws-vault to set temp credentials or are you using a credentials file?

m98 commented 2 years ago

I ran amplify init then enter the credentials (previously I created that credential by running amplify configure)

adcanis commented 2 years ago

@josefaidt @m98 Just wanted to say thanks for all the help. The resolution seems to be to remove the amplify directory and aws-exports.js file as @m98 mentioned. In my case I did not init, but rather pulled the existing project in.

josefaidt commented 2 years ago

Hey @adcanis and @m98 that is an interesting find. Are you able to capture the git diff of amplify/.config/project-info.json? I'm curious in knowing if we can reproduce this behavior and permanently resolve from our end

adcanis commented 2 years ago

@josefaidt ill take a look. Funny enough this has opened up an entire other issue. I removed the folder and exports file as stated and ran amplify pull --appId ******** --envName *** no more credentials issue. amplify status doesn't show the errors and AWS-vault seems to be setting credentials just fine.

I now get a 400 error on my cognito and all users can't log in. Nothing has changed. This was an imported user pool if that matters.

Edit to add** I created a new user, and also a new user pool just to see what would happen if I removed auth and imported a new one. User can follow authentication the first time, but once logged out can't log back in. Error 400. Again this is NOW only and an issue after the step above

vkanagarajan commented 2 years ago

amplify status not getting any error

amplify push i am getting same error

Failed to get profile: Cannot read property 'accessKeyId' of undefined

josefaidt commented 2 years ago

Hey @adcanis thank you for clarifying and I'm glad to hear that you're able to mitigate the issue. For the authentication issue would you mind creating a separate bug report for that? Does the aws-exports.js file still point to the older auth resource?

@vkanagarajan can you paste the contents of amplify/.config/local-aws-info.json omitting any sensitive information? For example, my sample application's file looks like:

{
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "default"
  }
}
adcanis commented 2 years ago

@josefaidt ill open a new bug report on the cognito front. It appears to be coming from the setTOTP and prefferedMFA function. aws-exports is correct depending on what auth I bring in to correct the issue. Thanks for the help!

Booligoosh commented 2 years ago

Can confirm that deleting the amplify directory and then running amplify pull --appId ******** --envName *** to grab my backend files again fixed the issue for me with no weird side-effects. I didn't need to delete my aws-exports.js.

vkanagarajan commented 2 years ago

amplify/.config/local-aws-info.json file i am having this same code { "dev": { "configLevel": "project", "useProfile": true, "profileName": "default" } }

adcanis commented 2 years ago

@vkanagarajan have you tried deleting your amplify directory, the aws-exports file from src and running amplify pull --appID ***** --envName ****?

scottbw commented 2 years ago

I've tried deleting everything, running amplify pull to get a fresh copy of the backend, and any subsequent push operation results in "Failed to get profile: Cannot read property 'accessKeyId' of undefined". Running latest Amplify CLI on Mac OS X.

adcanis commented 2 years ago

@scottbw have you ran unset AWS_VAULT followed by aws-vault clear in-order to remove any temp credentials and session?

Edit: I just ran a amplify push -y and that did NOT return the issue

scottbw commented 2 years ago

I've never used aws-vault, so there's nothing to clear.

Steps:

  1. Delete everything
  2. amplify pull --appId {app} --envName staging
  3. amplify pull -y

Result: ⠏ Fetching updates to backend environment: staging from the cloud.? Select the authentication method you want to use: AWS profile Failed to get profile: Cannot read property 'accessKeyId' of undefined

adcanis commented 2 years ago

@scottbw Can you confirm that your ~/.aws/config and ~/.aws/credentials look similar to the following?

**~/.aws/config**

[profile <YOUR PROFILE NAME>]
output=json
region=<YOUR AWS REGION>

if your using assumed roles ie. dev, qa, production

[profile  <YOUR PROFILE>-dev]
source_profile=<YOUR MAIN PROFILE>
role_arn=arn:aws:iam::********:role/<YOUR_APP-DEV-ADMIN>

**~/.aws/credentials**

[<YOUR PROFILE NAME>]
aws_access_key_id=*************
aws_secret_access_key=***********************
scottbw commented 2 years ago

Correct, thats how they look.

vkanagarajan commented 2 years ago

@vkanagarajan have you tried deleting your amplify directory, the aws-exports file from src and running amplify pull --appID ***** --envName ****?

amplify pull --appID * --envName ? Select the authentication method you want to use: (Use arrow keys) ❯ AWS profile AWS access keys Which one i have to select AWS profile or AWS access keys ?

if i select AWS profile :

amplify pull --appID * --envName ? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use devuser Failed to pull the backend. πŸ›‘ The security token included in the request is invalid. UnrecognizedClientException: The security token included in the request is invalid. at Object.extractError (/snapshot/repo/build/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.extractError (/snapshot/repo/build/node_modules/aws-sdk/lib/protocol/rest_json.js:49:8) at Request.callListeners (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/snapshot/repo/build/node_modules/aws-sdk/lib/state_machine.js:14:12) at /snapshot/repo/build/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:116:18) at Request.emit (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/snapshot/repo/build/node_modules/aws-sdk/lib/state_machine.js:14:12) at /snapshot/repo/build/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/snapshot/repo/build/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:116:18) at callNextListener (/snapshot/repo/build/node_modules/aws-sdk/lib/sequential_executor.js:96:12) at IncomingMessage.onEnd (/snapshot/repo/build/node_modules/aws-sdk/lib/event_listeners.js:335:13) at IncomingMessage.emit (events.js:412:35) at IncomingMessage.emit (domain.js:475:12) at endReadableNT (internal/streams/readable.js:1334:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)

adcanis commented 2 years ago

@vkanagarajan do you not have a credentials and config file set?

Make sure you have your ~/.aws/config and ~/.aws/credentials file set properly as stated above

vkanagarajan commented 2 years ago

@vkanagarajan do you not have a credentials and config file set?

Yes , ~/.aws/config and ~/.aws/credentials having values in my system

amplify status

Current Environment: dev

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Category β”‚ Resource name β”‚ Operation β”‚ Provider plugin β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Auth β”‚ testfff9bab4 β”‚ Create β”‚ awscloudformation β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ Api β”‚ test β”‚ Update β”‚ awscloudformation β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

GraphQL transformer version: 1

amplify push
Failed to get profile: Cannot read property 'accessKeyId' of undefined

scottbw commented 2 years ago

In the end, I had to completely get rid of my app's backend in the AWS UI console, and start again from scratch with a brand new backend as I was losing far too much time over this. No idea what went wrong or how it got so badly out of sync.

josefaidt commented 2 years ago

Hey @vkanagarajan I was able to reproduce this if I point my profileName in amplify/.config/local-aws-info.json to a profile name that does not exist on my machine:

{
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "doesnotexist"
  }
}

Can you confirm the profile default exists within your AWS configuration at ~/.aws/credentials?

vkanagarajan commented 2 years ago

I have fixed this issue created new user and added the access and secret key

m98 commented 2 years ago

@josefaidt In my case, I guess maybe the AWS Toolkit for my IDE caused this! With that you can rename the credintials!

It's good to know if other people in this thread who had this issue were also using AWS Toolkit!

josefaidt commented 2 years ago

Hey @vkanagarajan glad to hear you're back up and running, and thanks @m98 for chiming in here! I'm glad to hear you've found value out of this thread!

Given the issue is now resolved I will close this for now, however if this issue reappears please reply back to this thread and we can re-open to investigate further πŸ™‚

slim-elephant commented 2 years ago

I faced the same issue, sorted out by doing the following.

Under Amplify -> .config -> local-aws-info.json profile name was defined as ABC whereas new profile I created did not match the name. Simple went to ~/Users/username/.aws/ and changed profile name in credentials and config file to match the project. Or you can do the other way around if profile is being used by multiple projects or define a new profile with matching name,

armenr commented 2 years ago

@josefaidt - This shouldn't be closed!

I have wrapped Amplify into a pretty complex setup, and everything has been working as expected. I am externalizing some specifics around CI/CD (and CI/CD steps), and in my EXTERNAL CI/CD system (as well as on my local machine, outside of my github repo - in some empty folder), I am getting the following errors.

Scenario:

  1. There is a named AWS profile configured on the system where amplify runs (my local machine and/or CI/CD VM) with name armen-dev
  2. There is an existing backend named "develop" (verified valid)
  3. There is an existing Amplify App with ID "" (verified valid)

Reproduce:

  1. mkdir some-test
  2. cd some-test

Command permutation 1

  1. amplify pull --providers '{"awscloudformation":'{"develop":'{"configLevel":"project","useProfile":true,"profileName":"armen-dev"}'}'}' --amplify '{"appId":"REDACTED","envName":"develop"}' --yes

Error Result:

Error in the command line parameter for awscloudformation configuration.
Failed to pull the backend.
πŸ›‘ project level config set useProfile to false, but access key or region is missing.
Error: project level config set useProfile to false, but access key or region is missing.
    at normalizeInputParams (/snapshot/repo/build/node_modules/amplify-provider-awscloudformation/lib/configuration-manager.js:239:15)
    at Object.init (/snapshot/repo/build/node_modules/amplify-provider-awscloudformation/lib/configuration-manager.js:90:3)
    at Object.run (/snapshot/repo/build/node_modules/amplify-provider-awscloudformation/lib/attach-backend.js:97:32)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async Object.attachBackend (/snapshot/repo/build/node_modules/amplify-provider-awscloudformation/lib/index.js:210:3)
    at async queryProvider (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/attach-backend-steps/a10-queryProvider.js:31:5)
    at async attachBackend (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/attach-backend.js:38:9)
    at async Object.run (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/commands/pull.js:70:9)
    at async Object.executeAmplifyCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/index.js:292:9)
    at async executePluginModuleCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:142:5)
    at async executeCommand (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:40:9)
    at async Object.run (/snapshot/repo/build/node_modules/@aws-amplify/cli-internal/lib/index.js:165:13)

Command permutation 2

  1. amplify pull --providers '{"awscloudformation":'{"configLevel":"project","useProfile":true,"profileName":"stelth-dev"}'}' --amplify '{"appId":"REDACTED","envName":"develop"}' --yes

Error Result:

Failed to get profile: Cannot read property 'accessKeyId' of undefined

Observations

I know for sure the region and credentials are all set up correctly because I'm doing it this way:

aws configure --profile "$AWS_APP_PROFILE_NAME" set aws_access_key_id "$AWS_ACCESS_KEY_ID"
aws configure --profile "$AWS_APP_PROFILE_NAME" set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
aws configure --profile "$AWS_APP_PROFILE_NAME" set region $AWS_REGION

AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY are injected as env vars in my CI/CD pipeline AWS_APP_PROFILE_NAME is also injected as an env var

I know it's working because I get the values back when I log them/echo them in the build pipeline

makyinmars commented 2 years ago

I'm using @aws-amplify/cli v10.0.0. I did amplify init and then I selected AWS access keys instead of AWS profile and finally I inserted my accessKeyId, secretAccessKey and region when asked on the cli.

josefaidt commented 2 years ago

Hey folks I've reopened this issue as a feature request to potentially expose a --profile flag when using headless CLI locally, as this is failing due to the lack of a default profile.

nickvankleeck commented 2 years ago

The same bug now appears when running 'amplify init -y' as part of performing the steps in Module 1 of the AWS tutorial "Deploy a Web Application on AWS Amplify" here: https://aws.amazon.com/getting-started/guides/deploy-webapp-amplify/module-one/.

ehounder commented 1 year ago

I get this same error with this same tutorial - after creating a new user with all privileges and new accessKeyID:

`Project information | Name: amplifyapp | Environment: dev | Default editor: Visual Studio Code | App type: javascript | Javascript framework: react | Source Directory Path: src | Distribution Directory Path: build | Build Command: npm run-script build | Start Command: npm run-script start

Using default provider awscloudformation Failed to get profile: Cannot read property 'accessKeyId' of undefined xxxyyy@zzzz-MacBook-Pro-2 amplify-app %`

letsbelopez commented 1 year ago

I'm getting this error in CI/CD pipeline running amplify-dev pull.

I have configured my default profile credentials using aws configure set command and in my --providers flag I selected to use a profile and use one called default.

mguja-fcc commented 1 year ago

I am getting the same error β ‹ Fetching AWS Amplify Console domainsπŸ›‘ Failed to get profile credentials Cannot read property 'accessKeyId' of undefined when upgraded my Aplify CLI from version 7.6.21 to 10.8.0

lazpavel commented 1 year ago

Hi @armenr, it looks that in your example you have some extra quotes after the "awscloudformation": argument, this command should work for you: amplify pull --providers '{"awscloudformation":{"configLevel":"project","useProfile":true,"profileName":"stelth-dev"}}' --amplify '{"appId":"REDACTED","envName":"develop"}' --yes

We already support passing profile name as the profileName under the awscloudformation as documented here: https://docs.amplify.aws/cli/usage/headless/#--providers.

Nonetheless, this error message is terribly misleading, and we need to improve how we parse the command line arguments as a separate task.

As a workaround to generate the correct syntax, I can suggest using the scripts from our documentation page and add set +x after set -e command to print the executed command after it's assembled.