[Feature Request] Amplify CLI support AWS SSO

[v1pz3n]

Describe the bug

$ amplify env pull
⠦ Fetching updates to backend environment: dev from the cloud.(node:10308) UnhandledPromiseRejectionWarning: Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:10308) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:10308) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
⠋ Fetching updates to backend environment: dev from the cloud.

Amplify CLI Version 4.21.1

To Reproduce

1. aws sso login --profile dev
2. amplify pull or amplify env pull

Expected behavior Update my local development environment

Desktop

• OS: Linux Mint 19.3
• Node Version. v14.3.0

[ahansson89]

I have a problem adding a new env with the Amplify CLI that uses a SSO profile. Getting

init failed
Error: connect ETIMEDOUT 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: 'ETIMEDOUT',
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-06-08T05:08:14.592Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: 'ETIMEDOUT',
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-06-08T05:08:14.592Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: 'ETIMEDOUT',
      code: 'ETIMEDOUT',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-06-08T05:08:14.592Z,
      originalError: [Object]
    }
  }
}

[v1pz3n]

I tried another way but I also had problems.

You must delete the "amplify" directory of your project

$ aws sso login --profile amplify

Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX Successully logged into Start URL: https://amplify.awsapps.com/start

$ amplify pull

For more information on AWS Profiles, see: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? Do you want to use an AWS profile? Yes ? Please choose the profile you want to use amplify

Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: -113,
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-06-13T22:09:10.614Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: -113,
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-06-13T22:09:10.614Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: -113,
      code: 'EHOSTUNREACH',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-06-13T22:09:10.614Z,
      originalError: [Object]
    }
  }
}

[vgoetz]

Hi folks,

we also face a similar problem with slightly different error messages. I've tried to describe it here also for the 'amplify init' command:

Issue when AWS Profile unable to run amplify init

[benkehoe]

You may be able to use aws-sso-credential-process with AWS_SDK_LOAD_CONFIG=1 set to enable AWS SSO credentials to be used.

If that doesn't work, there is a workaround, developed for the CDK (which has the same problem): https://github.com/aws/aws-cdk/issues/5455#issuecomment-713643500

[nishitjain13]

The aws2-wrap method referenced by @benkehoe is working absolutely fine for CDK. However, the amplify issue isn't getting resolved by it. Is there some other way that anyone has been able to get the amplify to work with sso credentials since the time this issue was first created?

[MFranca]

Hey, folks, let me know if this helps, since I was facing a very similar problem and (I think) I "fixed" it: Setup

• Multiple AWS Accounts in AWS Organization with AWS Single Sign-On enabled for those accounts;
• Amplify with Angular (10) SPA - using basically (import) auth and (add) hosting; Issue: multiple profiles not working or amplify ends up publishing in the wrong (default) account.

  $> amplify publish -c
  × There was an error pulling the backend environment dev.
  An error occurred during the push operation: The provided token has expired.

  Fixing:

  1. Run $> aws configure sso (for each AWS Account/profile) ==> this will update (only) the ~/.aws/config (Linux & Mac) or %USERPROFILE%.aws\config (Windows) file;
  2. Copy the information from the SSO User Portal URL (repeat this step when the token expires) - command line or programmatic access (Option 2: Add a profile to your AWS credentials file) ==> user portal is something like 'https://xyz.awsapps.com/start#/'
  3. Edit the ~/.aws\/credentials (Linux & Mac) or %USERPROFILE%.aws\/credentials (Windows) and paste the information from #2. Save;
  4. Run the command again: success.

[benkehoe]

@nishitjain13 Did you try the credential_process method using aws-sso-util instead of aws2-wrap? I have updated the documentation for it here.

Additionally, aws-export-credentials supports AWS SSO and allows you to inject environment variables with your credentials.

[urz9999]

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can also give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

[pantone170145]

Did you try the credential_process method using aws-sso-util instead of aws2-wrap? I have updated the documentation for it here.

@benkehoe Thank you. I solved the problem in my environment (aws-amplify/cli 4.41.2). I needed AWS_SDK_LOAD_CONFIG=1

[mrserverless]

I followed the above instructions with AWS_SDK_LOAD_CONFIG=1 using credential_process method with aws-sso-util. However it appears that the AWS CLI completely ignores the credential process as per this issue here: https://github.com/aws-amplify/amplify-cli/issues/6882

[mrserverless]

Ok I figured out the issue. For this credential_process to work, all of the following conditions must be met:

• Set AWS_SDK_LOAD_CONFIG=1
• Set AWS_Profile={your profile}
• Run amplify init and select the same {your profile} when prompted

[tjmcewan]

Also an (empty) ~/.aws/credentials file needed. https://github.com/aws-amplify/amplify-cli/issues/6882#issuecomment-950348362

[ari-becker]

Bug is still relevant today (amplify version 9.2.1). When trying to run amplify init, using AWS profile as the authentication method and choosing the profile set up by AWS SSO, I get the error:

Failed to get profile: Cannot read property 'accessKeyId' of undefined

This is frustrating as using AWS SSO is considered best-practice instead of creating individual long-lived IAM users with permanent credentials.

Neither touch ~/.aws/credentials nor AWS_SDK_LOAD_CONFIG=1 amplify init solve the issue.

[thomasliddledba]

I'm seeing the same issue as @ari-becker.

$ amplify version
10.0.0
$ AWS_SDK_LOAD_CONFIG=1
$ AWS_PROFILE=mapp01
$ amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project s3uploaderui
The following configuration will be applied:

Project information
| Name: s3uploaderui
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start

? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use mapp01
Failed to get profile: Cannot read property 'accessKeyId' of undefined

Is there a best practice on how to use amplify with SSO?

[benkehoe]

I'm a little confused now. The AWS JavaScript SDK v2 added support for AWS SSO in v2.1093.0 and from what I can tell Amplify CLI requires v2.1113.0, so it seems like AWS SSO support should be present in the latest version of Amplify CLI.

[karl-barbour]

Running cli v10.3.0 I receive the same as the users above:

Failed to get profile: Cannot read property 'accessKeyId' of undefined

Is there an expected fix date for this?

[ameer2468]

I've been stuck on this issue for 2 hours...how can something like this be broken and not fixed yet.

[defyjoy]

This is indeed broken as of now .

? Please choose the profile you want to use SB102
Failed to get profile: Cannot read property 'accessKeyId' of undefined

devops-amplify-app git:main ❯ amplify --version                                                                                                                                                                                                                                                                         ⏎
10.5.1

This was supposed to be a basic requirement as AWS already provides this SSO creds long back .

[eligavril]

Adding a role_arn to the profile configuration should solve the undefined 'accessKeyId' problem. Here is what I did in order to get it working on my computer:

I configured a profile in ~/.aws/config like this:

[profile myprofile]
region=<REGION>
role_arn=arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
sso_start_url=https://<SUBDOMAIN>.awsapps.com/start
sso_region=<REGION>
sso_account_id=<ACCOUNT_ID>
sso_role_name=<ROLE_NAME>

I created the following script to login and export the credentials to the environment variables:

#!/bin/sh

profile_name="$1"

aws sso login --profile "${profile_name}"

credentials=$(aws-sso-util credential-process --profile "${profile_name}")

export AWS_ACCESS_KEY_ID="$(echo "${credentials}" | jq -r '.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "${credentials}" | jq -r '.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "${credentials}" | jq -r '.SessionToken')"

This script must be sourced in order to keep the AWS envs (Make absolutely sure you're sourcing the script and not regularly executing it!). For example:

. ./configure-credentials-env.sh myprofile

First I executed the script. Then, after the login was successful, I executed amplify init. It then allowed me to choose "AWS profile" and within it "myprofile".

When your credentials run out, just source the script again to get new ones. The amplify cli (under these configurations) should recognize them.

Also, if you want to make sure the AWS profile configuration was done correctly, look inside the created amplify/.config/local-aws-info.json file. It should look something like this:

{
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "myprofile"
  }
}

Hope this helps.

[cunneen]

I've found @benkehoe 's excellent aws-sso-util has solved this for me, on amplify v10.5.1.

1. Install aws-sso-util

2. Set up a profile (which goes in .aws/config) called 'myprofile' (substitute your own values) :

   aws-sso-util configure profile --sso-start-url 'https://myapp.awsapps.com/start#/' --account-id 987654321 --sso-region ap-southeast-2 --role-name AWSPowerUserAccess --region ap-southeast-2 myprofile

   Now whenever you need to login, you can just run: aws-sso-util login --all

   I have set up an alias in my .zshrc for this: alias awslogin="aws-sso-util login --all"

   and another one to launch the AWS web console: alias awsconsolebp="aws-sso-util console launch --account-id 987654321 --role-name AWSPowerUserAccess"

The resulting profile in ~/.aws/config looks like this; note the credential_process property :

[profile myprofile]
sso_start_url = https://myapp.awsapps.com/start#/
sso_region = ap-southeast-2
sso_account_id = 987654321
sso_role_name = AWSPowerUserAccess
region = ap-southeast-2
credential_process = aws-sso-util credential-process --profile myprofile

I think the credential_process is the special sauce which makes this work for us.

[seanWLawrence]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

[sami-bt]

17:25:20 ~/ feature/lambda $ amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project xyz
The following configuration will be applied:

Project information
| Name: xyz
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start

? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use sso-session sami-sso
Failed to get profile: Cannot read property 'accessKeyId' of undefined

When is this issue expected to get resolves, I am using SSO-Login and SSO-profile?

[sami-bt]

@cunneen made a great comment. but I used this npm package instead https://www.npmjs.com/package/aws-sso-cli just replace aws-sso-util with aws-sso-cli and it will work like a charm.

[adcanis]

still having issues after setup.

config file:

[profile account-sso-dev]
sso_start_url = https://*********.awsapps.com/start
sso_region = ca-central-1  
sso_account_id = ************
sso_role_name = ******Dev
region = ca-central-1
output = json

credentials file:

[account-sso-dev]
aws_access_key_id=*****************
aws_secret_access_key=***********************
aws_session_token=***********************

I've used aws sso login --profile <profile name> and re-logged in only to receive error:

✖ There was an error pulling the backend environment dev. 🛑 The provided token is malformed or otherwise invalid.

I've also used aws-vault exec <profile name> and same thing.

[cunneen]

@adcanis it looks like you're missing a line from your config file:

credential_process = aws sso login --profile account-sso-dev

[adcanis]

@cuneen thats fantastic! worked like a charm.

[lorengordon]

@adcanis it looks like you're missing a line from your config file:

credential_process = aws sso login --profile account-sso-dev

This is the oddest solution, to me, considering credential_process is supposed to require that the process outputs to stdout a json blob in a very specific format. And aws sso login definitely does not do that. Some weirdness must be happening under the covers, an implementation detail that works for the moment, and not an actual solution to the problem...

[zagvym]

This is my workaround. My amplify-cli is v11.1.1. Almost all the same as https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1379987317 , but this way just depends on only aws-cli, jq, and POSIX shell commands.

example

~/.aws/config

# SSO session config, See: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-manual
[sso-session my-sso]
sso_start_url = ...
sso_region = ...
sso_registration_scopes = sso:account:access

# SSO profile for amplify-cli, See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
# Please replace {{AWS_ACCOUNT_ID}} and {{SSO_ROLE_NAME}} to your own
[profile my-amplify]
credential_process = aws sso get-role-credentials --account-id {{AWS_ACCOUNT_ID}} --role-name {{SSO_ROLE_NAME}} --access-token $(ls -t ~/.aws/sso/cache/*.json | xargs -I{} jq -r '.accessToken' {} | grep -v 'null' | head -n 1) --output json --query 'roleCredentials.{Version:`1`,AccessKeyId:accessKeyId,SecretAccessKey:secretAccessKey,SessionToken:sessionToken,Expiration:expiration}'

usage:

$ aws sso login --sso-session my-sso

$ amplify init
...
? Select the authentication method you want to use: AWS profile
...
? Please choose the profile you want to use my-amplify
...

[zagvym]

How about adding a step to use aws-sdk-js#SsoCredentials in amplify-cli#getProfiledAwsConfig() ?

For example, aws-cdk that is a CLI tool depending on aws-sdk-js like amplify-cli, also use it like https://github.com/aws/aws-cdk/blob/v2.77.0/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L81 .

[noumanriazkhan]

Thanks @benkehoe, the aws-sso-util has saved my life here.

[smarinov84]

I tried all other methods described here. Only one that worked is the aws-sso-util based one. @cunneen provided great instructions. Thank you @benkehoe.

Amplify CLI version: 12.0.3

[kiborkm]

I could use Amplify CLI and AWS SSO profiles together with following process and without any third party tools:

Amplify CLI Version: 12.1.1 AWS CLI Version: aws-cli/2.12.2 Python/3.11.4 Windows/10 exe/AMD64 prompt/off

1. Configure AWS SSO session.

2. Open AWS CLI config JSON file, typically located under '~/.aws/config.json', and create a profile with syntax:

   [profile my-amplify-profile]
   credential_process = aws configure export-credentials --profile my-amplify-profile
   region = eu-central-1
   sso_session = <MY_SESSION_NAME>
   sso_account_id = <MY_ACCOUNT_ID>
   sso_role_name = <MY_ROLE_NAME>
   output = json

3. Login into AWS SSO with in step 1. created and in step 2. configured SSO session:

   aws sso login --sso-session <MY_SESSION_NAME>

4. Now you should be able to use the profile 'my-amplify-profile' with Amplify CLI, e. g.:

   • you can create a new Amplify project with amplify init and choose inside the CLI process the created profile 'my-amplify-profile'
   • you can create a new Amplify environment with amplify add env and choose inside the CLI process the created profile 'my-amplify-profile'. This process works also with multiple profiles for different AWS accounts (cross-account deployments). Just change on each amplify add env the profile name. All local configured profiles should be listed inside local-aws-info.json.

[josefaidt]

Hey folks :wave: as a few have pointed out here in the thread you can use AWS IAM Identity Center with Amplify! Following the AWS guide from @kiborkm's comment above you'll end up with a profile config in ~/.aws/config similar to the following:

# ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1

[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access

To workaround the following error you will need to add a credential_process to the AWS profile as noted in @seanWLawrence's comment:

🛑 Failed to get profile credentials
Cannot read properties of undefined (reading 'accessKeyId')

# ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1
+ credential_process=aws sso login --profile mysso-profile

[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access

With this example upon calling amplify init you will want to select the mysso-profile AWS profile:

➜  amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project amplifywithsso
The following configuration will be applied:

Project information
| Name: amplifywithsso
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: none
| Source Directory Path: src
| Distribution Directory Path: dist
| Build Command: npm run-script build
| Start Command: npm run-script start

? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use mysso-profile
Adding backend environment dev to AWS Amplify app: d1t6kmme070w48
...

There is an active bug where the sso-session entry is displayed in the profile list, however when upon selection it will produce the following error:

Unexpected token A in JSON at position 0

I will keep this request open to support SSO without needing to specify a credential_process as it is not shown as required in the documentation

[lorengordon]

• credential_process=aws sso login --profile mysso-profile

@josefaidt I don't believe that actually works in any way that depends on the standard interface of credential_process. If it works at all, it is relying on an implementation detail, and in no way should it be recommended as a "solution". See my comment about it earlier: https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1448764507

What @kiborkm suggested was a slightly different approach, using a newish feature of the AWS CLI:

credential_process = aws configure export-credentials --profile my-amplify-profile

That works because the command defaults to outputting the credentials in the format expected by credential_process.

--format (string) The output format to display credentials. Defaults to process.

process - Display credentials as JSON output, in the schema expected by the credential_process config value.This enables any library or tool that supports credential_process to use the AWS CLI’s credential resolution process: credential_process = aws configure export-credentials --profile myprofile

Still, as you say, even that config should not be necessary. So, yeah, appreciate keeping the issue open until amplify is properly supporting AWS SSO and the AWS SDK Credential Chain.

[rurounijones]

Just ran into this and running into an issue with an AWS tool not supporting AWS SSO best practices without workarounds at the very beginning of the investigation into said tool is a knock to its credibility.

[stormlrd]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

thanks mate. this issue has had me stumped for hours and this is the only thing that has worked 100% clearly every time. so this goes into my process docs for now. cheers!

[qwikag]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

Yes but SET IT WHERE?

[stormlrd]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

Yes but SET IT WHERE?

The example is representative of profiles in the aws cli config file.

[qwikag]

The example is representative of profiles in the aws cli config file.

the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"

but what does that mean, where do you "SET" it? how is this setup used?

It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.

[qwikag]

And btw the documentation clearly has many ways of configuring Auth in CLI, and Amplify CLI does not seem to operate within AWS CLI boundaries. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

[stormlrd]

The example is representative of profiles in the aws cli config file.

the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"

but what does that mean, where do you "SET" it? how is this setup used?

It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.

sorry .. I guess what they should have said was... When using the amplify CLI , SELECT the admin-amplify profile from the list as the amplify CLI steps you through asking for what type of credential you want to use. one should be selecting the "profile" option, and then the profiles from the aws cli config file are read and presented in the list.. instead of picking the one with the sso settings you pick the one with the "credential_process =" defined in it.. and it doesn't make a difference what the profile names are.. you can change them.. this is the structure of how to do it.

[qwikag]

sorry .. I guess what they should have said was...

Sorry but this does not help either.

[stormlrd]

sorry .. I guess what they should have said was...

Sorry but this does not help either.

[OperationalFallacy]

A simple question: when amplify commands run, what profile or credentials are these commands using? There are no keys exported, no default profiles - everything is SSO based.

Where is this information about profile stored in amplify? How to change it?

[OperationalFallacy]

I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no. What's the consideration for these defaults?

What's the alternative for security-aware organization with SSO?

amplify configure
Follow these steps to set up access to your AWS account:

Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue

Specify the AWS Region
? region:  us-east-1
Follow the instructions at
https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli

to complete the user creation in the AWS console
https://console.aws.amazon.com/iamv2/home#/users/create
Press Enter to continue

Enter the access key of the newly created user:
? accessKeyId:  [hidden] 

[romeubertho]

I tried the workaround @josefaidt proposed in the comments and the one by @kiborkm here. Unfortunately, I did not have success in both approaches :( amplify version: 12.3.0 aws cli version: aws-cli/2.9.19 Python/3.9.11 Linux/5.10.102.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off

When I do amplify init and choose my SSO profile I always get the following:

🛑 The security token included in the request is expired

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 0624a60c-87a1-4d95-b3d5-52ce6053cf6c

I did the following workaround to work:

• Created a new profile in ~/.aws/config

[profile amplify-dev]
region=us-east-1

• Added a function in ~/.bashrc

  function amplify-dev(){
  aws sso login --profile dev
  CREDENTIALS=$(aws configure export-credentials --profile dev)
  aws configure set aws_access_key_id $(echo $CREDENTIALS | jq -r '.AccessKeyId') --profile amplify-dev
  aws configure set aws_secret_access_key $(echo $CREDENTIALS | jq -r '.SecretAccessKey') --profile amplify-dev
  aws configure set aws_session_token $(echo $CREDENTIALS | jq -r '.SessionToken') --profile amplify-dev
  }

  For this workaround work you need to make sure you have:

1. jq installed, othwerwise just sudo apt install jq
2. a SSO profile called dev in ~/.aws/config

The amplify-dev function will make SSO login, get the credentials, and add/update it to ~/.aws/credentials to amplify-dev profile.

[justinwiley]

This issue/bug/feature has been stuck in limbo for more than 3 years, and as a result Amplify developers working in multi-account environments with SSO (ie following AWS's well-architected framework) have to hand-roll a variety of their own authentication scripts or copy and paste values out of the web interface to do something that should be seamless.

Is there any way this can be upgraded in priority @SwaySway @siegerts and assigned a label that indicates it is core functionality of Amplify instead of a feature?

[qwikag]

credential_process=aws sso login --profile mysso-profile

@josefaidt your example is different to the person that you quoted!

they use a double profile approach in the config file, 1st profile refers to the second. yours is in a single profile with an SSO profile

??????????????

[scarybot]

This seems to be a fundamental problem which undercuts Amplify's usability. I can't recommend this to my team if their first interaction with it will be a hacky auth workaround. It's essential that this tool supports SSO.

[r-colvin]

hi all! trying to follow the above but continuously getting the error

amplify init    
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project myamplifyapp
The following configuration will be applied:

Project information
| Name: myamplifyapp
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start

? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use amplify-sso-profile
🛑 The security token included in the request is invalid.

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

in my ~/.aws/config I have an sso-session defined and a profile that uses that sso-session

[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json

[session aws-sso-session]
sso_start_url = xxx
sso_region = xxx
sso_registration_scopes = xxx

this works perfecly, for example: aws sso login --profile aws-profile logs me in, and I can execute commands in the accounts aws-profile is configured for example aws s3 ls --profile aws-profile

now for the amplify cli, I have added the following

[profile amplify-sso-profile]
credential_process = "aws configure export-credentials --profile aws-profile"

but having the issue as shown in the log message (The security token included in the request is invalid.)

as per https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

The AWS CLI runs the command as specified in the profile and then reads data from STDOUT. The command you specify must generate JSON output on STDOUT that matches the following syntax.

so I am not sure why this is not working?

• I am doing aws sso login --profile aws-profile before running amplify init
• aws s3 ls --profile aws-profile works after logging-in and before running amplify init
• I have removed the second-profile ([profile amplify-sso-profile]) and converted [profile aws-profile] as follows, however amplify init (choosing the right profile) still fails with the same error

[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json
credential_process = "aws configure export-credentials --profile aws-profile"

I was able to get it to work once by using access-key instead of profile (and using temporary credentials from the SSO login page); however of course this failed after an hour when the credentials expired

I can certainly agree though, that it would not be the worst thing in the world if Amplify CLI natively supported SSO after this many years

@josefaidt / @lorengordon I drew the most intuition / insight from your comments, hence my solution looks the most like your suggestions - maybe you have an idea where I went wrong?

-- next day: progress -- looking at my ~/.aws/config I had the wrong region in my amplify profile - fixed that and now I get 🛑 The security token included in the request is expired even though did an sso login immediately before hand

I looked again at @kiborkm post (https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1607699922) and noticed that it uses aws sso login --sso-session <session> (instead of --profile); I replicated that profile setup, but still 🛑 The security token included in the request is expired aws sso login --profile <profile> results in the same issue

I have tried to use access-keys (as I did yesterday, copying+pasting from the SSO page "Command line or programatic access" but get the following today (for some reason... no idea why!)

Using default provider  awscloudformation
? Select the authentication method you want to use: AWS access keys
? accessKeyId:  ********************
? secretAccessKey:  ****************************************
? region:  us-east-1
Invalid configuration settings!

So, instead I have added a profile in ~/.aws/config [profile amplify-stc] region = xxx

and then a matching credentials in ~/.aws/credentials [amplify-stc] aws_access_key_id=xxx aws_secret_access_key=xxx aws_session_token=xxx

and I will update this each time with new credentials - you could use a script like @romeubertho alludes to, to automatically update the credentials after SSO Login

so, for anyone who comes after me! possible solutions:

1. An SSO Profile with credential_process (does not work for me, yet - short of AWS actually fixing the amplify CLI, this is what I am aiming for - so if anyone can point me to why my config doesn't work, I'd be greatful)
2. Use access_keys in aws init etc; though you will have to update the keys constantly (amplify configure project will allow you to change keys or profile) :: Not Recommended
3. Use temporary credentials stored in ~/.aws/credentials and update this file, manually or automatically each time you need to SSO login (this is what I am doing now)
4. a Plugin like aws-mfa for oh my zsh will essentially do an automatic update of the ~/.aws/credentials (https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh/tree/master)
5. create an IAM user without SSO for this purpose and use access_keys

I can't think of any other options just now :) hope that helps someone in the future

now to debug why credential_process and accessKeys instead of profile is not working for me :)