Open v1pz3n opened 4 years ago
I have a problem adding a new env with the Amplify CLI that uses a SSO profile. Getting
init failed
Error: connect ETIMEDOUT 169.254.169.254:80
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
errno: 'ETIMEDOUT',
code: 'CredentialsError',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-08T05:08:14.592Z,
originalError: {
message: 'Could not load credentials from any providers',
errno: 'ETIMEDOUT',
code: 'CredentialsError',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-08T05:08:14.592Z,
originalError: {
message: 'EC2 Metadata roleName request returned error',
errno: 'ETIMEDOUT',
code: 'ETIMEDOUT',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-08T05:08:14.592Z,
originalError: [Object]
}
}
}
I tried another way but I also had problems.
You must delete the "amplify" directory of your project
$ aws sso login --profile amplify
Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-1.amazonaws.com/
Then enter the code:
XXXX-XXXX Successully logged into Start URL: https://amplify.awsapps.com/start
$ amplify pull
For more information on AWS Profiles, see: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
? Do you want to use an AWS profile? Yes ? Please choose the profile you want to use amplify
Error: connect EHOSTUNREACH 169.254.169.254:80
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
errno: -113,
code: 'CredentialsError',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-13T22:09:10.614Z,
originalError: {
message: 'Could not load credentials from any providers',
errno: -113,
code: 'CredentialsError',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-13T22:09:10.614Z,
originalError: {
message: 'EC2 Metadata roleName request returned error',
errno: -113,
code: 'EHOSTUNREACH',
syscall: 'connect',
address: '169.254.169.254',
port: 80,
time: 2020-06-13T22:09:10.614Z,
originalError: [Object]
}
}
}
Hi folks,
we also face a similar problem with slightly different error messages. I've tried to describe it here also for the 'amplify init' command:
You may be able to use aws-sso-credential-process with AWS_SDK_LOAD_CONFIG=1
set to enable AWS SSO credentials to be used.
If that doesn't work, there is a workaround, developed for the CDK (which has the same problem): https://github.com/aws/aws-cdk/issues/5455#issuecomment-713643500
The aws2-wrap method referenced by @benkehoe is working absolutely fine for CDK. However, the amplify issue isn't getting resolved by it. Is there some other way that anyone has been able to get the amplify to work with sso credentials since the time this issue was first created?
Hey, folks, let me know if this helps, since I was facing a very similar problem and (I think) I "fixed" it: Setup
$> amplify publish -c
× There was an error pulling the backend environment dev.
An error occurred during the push operation: The provided token has expired.
Fixing:
@nishitjain13 Did you try the credential_process
method using aws-sso-util
instead of aws2-wrap
? I have updated the documentation for it here
.
Additionally, aws-export-credentials
supports AWS SSO and allows you to inject environment variables with your credentials.
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can also give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.
Did you try the
credential_process
method usingaws-sso-util
instead ofaws2-wrap
? I have updated the documentation for ithere
.
@benkehoe
Thank you. I solved the problem in my environment (aws-amplify/cli 4.41.2).
I needed AWS_SDK_LOAD_CONFIG=1
I followed the above instructions with AWS_SDK_LOAD_CONFIG=1
using credential_process
method with aws-sso-util
. However it appears that the AWS CLI completely ignores the credential process
as per this issue here: https://github.com/aws-amplify/amplify-cli/issues/6882
Ok I figured out the issue. For this credential_process
to work, all of the following conditions must be met:
AWS_SDK_LOAD_CONFIG=1
AWS_Profile={your profile}
amplify init
and select the same {your profile}
when promptedAlso an (empty) ~/.aws/credentials
file needed. https://github.com/aws-amplify/amplify-cli/issues/6882#issuecomment-950348362
Bug is still relevant today (amplify version 9.2.1).
When trying to run amplify init
, using AWS profile
as the authentication method and choosing the profile set up by AWS SSO, I get the error:
Failed to get profile: Cannot read property 'accessKeyId' of undefined
This is frustrating as using AWS SSO is considered best-practice instead of creating individual long-lived IAM users with permanent credentials.
Neither touch ~/.aws/credentials
nor AWS_SDK_LOAD_CONFIG=1 amplify init
solve the issue.
I'm seeing the same issue as @ari-becker.
$ amplify version
10.0.0
$ AWS_SDK_LOAD_CONFIG=1
$ AWS_PROFILE=mapp01
$ amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project s3uploaderui
The following configuration will be applied:
Project information
| Name: s3uploaderui
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start
? Initialize the project with the above configuration? Yes
Using default provider awscloudformation
? Select the authentication method you want to use: AWS profile
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
? Please choose the profile you want to use mapp01
Failed to get profile: Cannot read property 'accessKeyId' of undefined
Is there a best practice on how to use amplify with SSO?
I'm a little confused now. The AWS JavaScript SDK v2 added support for AWS SSO in v2.1093.0 and from what I can tell Amplify CLI requires v2.1113.0, so it seems like AWS SSO support should be present in the latest version of Amplify CLI.
Running cli v10.3.0 I receive the same as the users above:
Failed to get profile: Cannot read property 'accessKeyId' of undefined
Is there an expected fix date for this?
I've been stuck on this issue for 2 hours...how can something like this be broken and not fixed yet.
This is indeed broken as of now .
? Please choose the profile you want to use SB102
Failed to get profile: Cannot read property 'accessKeyId' of undefined
devops-amplify-app git:main ❯ amplify --version ⏎
10.5.1
This was supposed to be a basic requirement as AWS already provides this SSO creds long back .
Adding a role_arn to the profile configuration should solve the undefined 'accessKeyId' problem. Here is what I did in order to get it working on my computer:
I configured a profile in ~/.aws/config
like this:
[profile myprofile]
region=<REGION>
role_arn=arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
sso_start_url=https://<SUBDOMAIN>.awsapps.com/start
sso_region=<REGION>
sso_account_id=<ACCOUNT_ID>
sso_role_name=<ROLE_NAME>
I created the following script to login and export the credentials to the environment variables:
#!/bin/sh
profile_name="$1"
aws sso login --profile "${profile_name}"
credentials=$(aws-sso-util credential-process --profile "${profile_name}")
export AWS_ACCESS_KEY_ID="$(echo "${credentials}" | jq -r '.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "${credentials}" | jq -r '.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "${credentials}" | jq -r '.SessionToken')"
This script must be sourced in order to keep the AWS envs (Make absolutely sure you're sourcing the script and not regularly executing it!). For example:
. ./configure-credentials-env.sh myprofile
First I executed the script. Then, after the login was successful, I executed amplify init
. It then allowed me to choose "AWS profile" and within it "myprofile".
When your credentials run out, just source the script again to get new ones. The amplify cli (under these configurations) should recognize them.
Also, if you want to make sure the AWS profile configuration was done correctly, look inside the created amplify/.config/local-aws-info.json
file. It should look something like this:
{
"dev": {
"configLevel": "project",
"useProfile": true,
"profileName": "myprofile"
}
}
Hope this helps.
I've found @benkehoe 's excellent aws-sso-util has solved this for me, on amplify v10.5.1.
Install aws-sso-util
Set up a profile (which goes in .aws/config) called 'myprofile' (substitute your own values) :
aws-sso-util configure profile --sso-start-url 'https://myapp.awsapps.com/start#/' --account-id 987654321 --sso-region ap-southeast-2 --role-name AWSPowerUserAccess --region ap-southeast-2 myprofile
Now whenever you need to login, you can just run:
aws-sso-util login --all
I have set up an alias in my .zshrc for this:
alias awslogin="aws-sso-util login --all"
and another one to launch the AWS web console:
alias awsconsolebp="aws-sso-util console launch --account-id 987654321 --role-name AWSPowerUserAccess"
The resulting profile in ~/.aws/config
looks like this; note the credential_process
property :
[profile myprofile]
sso_start_url = https://myapp.awsapps.com/start#/
sso_region = ap-southeast-2
sso_account_id = 987654321
sso_role_name = AWSPowerUserAccess
region = ap-southeast-2
credential_process = aws-sso-util credential-process --profile myprofile
I think the credential_process
is the special sauce which makes this work for us.
A workaround I just got working was to make another profile with the credential_process
set to call the sso login command, i.e.
[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json
[profile admin-amplify]
credential_process = aws sso login --profile admin
Note: you'll need to replace the values for the
profile
names,sso_start_url
,sso_account_id
for this to work for your situation
Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify
17:25:20 ~/ feature/lambda $ amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project xyz
The following configuration will be applied:
Project information
| Name: xyz
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start
? Initialize the project with the above configuration? Yes
Using default provider awscloudformation
? Select the authentication method you want to use: AWS profile
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
? Please choose the profile you want to use sso-session sami-sso
Failed to get profile: Cannot read property 'accessKeyId' of undefined
When is this issue expected to get resolves, I am using SSO-Login and SSO-profile?
@cunneen made a great comment.
but I used this npm package instead https://www.npmjs.com/package/aws-sso-cli
just replace aws-sso-util
with aws-sso-cli
and it will work like a charm.
still having issues after setup.
config file:
[profile account-sso-dev]
sso_start_url = https://*********.awsapps.com/start
sso_region = ca-central-1
sso_account_id = ************
sso_role_name = ******Dev
region = ca-central-1
output = json
credentials file:
[account-sso-dev]
aws_access_key_id=*****************
aws_secret_access_key=***********************
aws_session_token=***********************
I've used aws sso login --profile <profile name>
and re-logged in only to receive error:
✖ There was an error pulling the backend environment dev. 🛑 The provided token is malformed or otherwise invalid.
I've also used aws-vault exec <profile name>
and same thing.
@adcanis it looks like you're missing a line from your config
file:
credential_process = aws sso login --profile account-sso-dev
@cuneen thats fantastic! worked like a charm.
@adcanis it looks like you're missing a line from your
config
file:credential_process = aws sso login --profile account-sso-dev
This is the oddest solution, to me, considering credential_process
is supposed to require that the process outputs to stdout a json blob in a very specific format. And aws sso login
definitely does not do that. Some weirdness must be happening under the covers, an implementation detail that works for the moment, and not an actual solution to the problem...
This is my workaround. My amplify-cli is v11.1.1
.
Almost all the same as https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1379987317 , but this way just depends on only aws-cli, jq, and POSIX shell commands.
~/.aws/config
# SSO session config, See: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-manual
[sso-session my-sso]
sso_start_url = ...
sso_region = ...
sso_registration_scopes = sso:account:access
# SSO profile for amplify-cli, See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
# Please replace {{AWS_ACCOUNT_ID}} and {{SSO_ROLE_NAME}} to your own
[profile my-amplify]
credential_process = aws sso get-role-credentials --account-id {{AWS_ACCOUNT_ID}} --role-name {{SSO_ROLE_NAME}} --access-token $(ls -t ~/.aws/sso/cache/*.json | xargs -I{} jq -r '.accessToken' {} | grep -v 'null' | head -n 1) --output json --query 'roleCredentials.{Version:`1`,AccessKeyId:accessKeyId,SecretAccessKey:secretAccessKey,SessionToken:sessionToken,Expiration:expiration}'
usage:
$ aws sso login --sso-session my-sso
$ amplify init
...
? Select the authentication method you want to use: AWS profile
...
? Please choose the profile you want to use my-amplify
...
How about adding a step to use aws-sdk-js#SsoCredentials in amplify-cli#getProfiledAwsConfig() ?
For example, aws-cdk that is a CLI tool depending on aws-sdk-js like amplify-cli, also use it like https://github.com/aws/aws-cdk/blob/v2.77.0/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L81 .
Thanks @benkehoe, the aws-sso-util
has saved my life here.
I tried all other methods described here. Only one that worked is the aws-sso-util
based one. @cunneen provided great instructions. Thank you @benkehoe.
Amplify CLI version: 12.0.3
I could use Amplify CLI and AWS SSO profiles together with following process and without any third party tools:
Amplify CLI Version: 12.1.1 AWS CLI Version: aws-cli/2.12.2 Python/3.11.4 Windows/10 exe/AMD64 prompt/off
Open AWS CLI config JSON file, typically located under '~/.aws/config.json', and create a profile with syntax:
[profile my-amplify-profile]
credential_process = aws configure export-credentials --profile my-amplify-profile
region = eu-central-1
sso_session = <MY_SESSION_NAME>
sso_account_id = <MY_ACCOUNT_ID>
sso_role_name = <MY_ROLE_NAME>
output = json
Login into AWS SSO with in step 1. created and in step 2. configured SSO session:
aws sso login --sso-session <MY_SESSION_NAME>
Now you should be able to use the profile 'my-amplify-profile' with Amplify CLI, e. g.:
amplify init
and choose inside the CLI process the created profile 'my-amplify-profile'amplify add env
and choose inside the CLI process the created profile 'my-amplify-profile'. This process works also with multiple profiles for different AWS accounts (cross-account deployments). Just change on each amplify add env
the profile name. All local configured profiles should be listed inside local-aws-info.json
.Hey folks :wave: as a few have pointed out here in the thread you can use AWS IAM Identity Center with Amplify! Following the AWS guide from @kiborkm's comment above you'll end up with a profile config in ~/.aws/config
similar to the following:
# ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1
[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access
To workaround the following error you will need to add a credential_process
to the AWS profile as noted in @seanWLawrence's comment:
🛑 Failed to get profile credentials
Cannot read properties of undefined (reading 'accessKeyId')
# ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1
+ credential_process=aws sso login --profile mysso-profile
[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access
With this example upon calling amplify init
you will want to select the mysso-profile
AWS profile:
➜ amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project amplifywithsso
The following configuration will be applied:
Project information
| Name: amplifywithsso
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: none
| Source Directory Path: src
| Distribution Directory Path: dist
| Build Command: npm run-script build
| Start Command: npm run-script start
? Initialize the project with the above configuration? Yes
Using default provider awscloudformation
? Select the authentication method you want to use: AWS profile
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
? Please choose the profile you want to use mysso-profile
Adding backend environment dev to AWS Amplify app: d1t6kmme070w48
...
There is an active bug where the sso-session
entry is displayed in the profile list, however when upon selection it will produce the following error:
Unexpected token A in JSON at position 0
I will keep this request open to support SSO without needing to specify a credential_process
as it is not shown as required in the documentation
- credential_process=aws sso login --profile mysso-profile
@josefaidt I don't believe that actually works in any way that depends on the standard interface of credential_process
. If it works at all, it is relying on an implementation detail, and in no way should it be recommended as a "solution". See my comment about it earlier: https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1448764507
What @kiborkm suggested was a slightly different approach, using a newish feature of the AWS CLI:
credential_process = aws configure export-credentials --profile my-amplify-profile
That works because the command defaults to outputting the credentials in the format expected by credential_process
.
--format (string) The output format to display credentials. Defaults to process.
process - Display credentials as JSON output, in the schema expected by the credential_process config value.This enables any library or tool that supports credential_process to use the AWS CLI’s credential resolution process: credential_process = aws configure export-credentials --profile myprofile
Still, as you say, even that config should not be necessary. So, yeah, appreciate keeping the issue open until amplify is properly supporting AWS SSO and the AWS SDK Credential Chain.
Just ran into this and running into an issue with an AWS tool not supporting AWS SSO best practices without workarounds at the very beginning of the investigation into said tool is a knock to its credibility.
A workaround I just got working was to make another profile with the
credential_process
set to call the sso login command, i.e.[profile admin] sso_start_url = https://xxxxxxxx.awsapps.com/start#/ sso_region = us-east-1 sso_account_id = xxxxxxxxxx sso_role_name = AWSAdministratorAccess region = us-east-1 output = json [profile admin-amplify] credential_process = aws sso login --profile admin
Note: you'll need to replace the values for the
profile
names,sso_start_url
,sso_account_id
for this to work for your situationThen when using the amplify CLI set the profile to the amplify one, in this case:
admin-amplify
thanks mate. this issue has had me stumped for hours and this is the only thing that has worked 100% clearly every time. so this goes into my process docs for now. cheers!
A workaround I just got working was to make another profile with the
credential_process
set to call the sso login command, i.e.[profile admin] sso_start_url = https://xxxxxxxx.awsapps.com/start#/ sso_region = us-east-1 sso_account_id = xxxxxxxxxx sso_role_name = AWSAdministratorAccess region = us-east-1 output = json [profile admin-amplify] credential_process = aws sso login --profile admin
Note: you'll need to replace the values for the
profile
names,sso_start_url
,sso_account_id
for this to work for your situationThen when using the amplify CLI set the profile to the amplify one, in this case:
admin-amplify
Yes but SET IT WHERE?
A workaround I just got working was to make another profile with the
credential_process
set to call the sso login command, i.e.[profile admin] sso_start_url = https://xxxxxxxx.awsapps.com/start#/ sso_region = us-east-1 sso_account_id = xxxxxxxxxx sso_role_name = AWSAdministratorAccess region = us-east-1 output = json [profile admin-amplify] credential_process = aws sso login --profile admin
Note: you'll need to replace the values for the
profile
names,sso_start_url
,sso_account_id
for this to work for your situationThen when using the amplify CLI set the profile to the amplify one, in this case:
admin-amplify
Yes but SET IT WHERE?
The example is representative of profiles in the aws cli config file.
The example is representative of profiles in the aws cli config file.
the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"
but what does that mean, where do you "SET" it? how is this setup used?
It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.
And btw the documentation clearly has many ways of configuring Auth in CLI, and Amplify CLI does not seem to operate within AWS CLI boundaries. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
The example is representative of profiles in the aws cli config file.
the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"
but what does that mean, where do you "SET" it? how is this setup used?
It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.
sorry .. I guess what they should have said was... When using the amplify CLI , SELECT the admin-amplify profile from the list as the amplify CLI steps you through asking for what type of credential you want to use. one should be selecting the "profile" option, and then the profiles from the aws cli config file are read and presented in the list.. instead of picking the one with the sso settings you pick the one with the "credential_process =" defined in it.. and it doesn't make a difference what the profile names are.. you can change them.. this is the structure of how to do it.
sorry .. I guess what they should have said was...
Sorry but this does not help either.
sorry .. I guess what they should have said was...
Sorry but this does not help either.
A simple question: when amplify commands run, what profile or credentials are these commands using? There are no keys exported, no default profiles - everything is SSO based.
Where is this information about profile stored in amplify? How to change it?
I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no. What's the consideration for these defaults?
What's the alternative for security-aware organization with SSO?
amplify configure
Follow these steps to set up access to your AWS account:
Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue
Specify the AWS Region
? region: us-east-1
Follow the instructions at
https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli
to complete the user creation in the AWS console
https://console.aws.amazon.com/iamv2/home#/users/create
Press Enter to continue
Enter the access key of the newly created user:
? accessKeyId: [hidden]
I tried the workaround @josefaidt proposed in the comments and the one by @kiborkm here. Unfortunately, I did not have success in both approaches :( amplify version: 12.3.0 aws cli version: aws-cli/2.9.19 Python/3.9.11 Linux/5.10.102.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off
When I do amplify init
and choose my SSO profile I always get the following:
🛑 The security token included in the request is expired
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/
Session Identifier: 0624a60c-87a1-4d95-b3d5-52ce6053cf6c
I did the following workaround to work:
~/.aws/config
[profile amplify-dev]
region=us-east-1
~/.bashrc
function amplify-dev(){
aws sso login --profile dev
CREDENTIALS=$(aws configure export-credentials --profile dev)
aws configure set aws_access_key_id $(echo $CREDENTIALS | jq -r '.AccessKeyId') --profile amplify-dev
aws configure set aws_secret_access_key $(echo $CREDENTIALS | jq -r '.SecretAccessKey') --profile amplify-dev
aws configure set aws_session_token $(echo $CREDENTIALS | jq -r '.SessionToken') --profile amplify-dev
}
For this workaround work you need to make sure you have:
sudo apt install jq
~/.aws/config
The amplify-dev
function will make SSO login, get the credentials, and add/update it to ~/.aws/credentials
to amplify-dev profile.
This issue/bug/feature has been stuck in limbo for more than 3 years, and as a result Amplify developers working in multi-account environments with SSO (ie following AWS's well-architected framework) have to hand-roll a variety of their own authentication scripts or copy and paste values out of the web interface to do something that should be seamless.
Is there any way this can be upgraded in priority @SwaySway @siegerts and assigned a label that indicates it is core functionality of Amplify instead of a feature?
credential_process=aws sso login --profile mysso-profile
@josefaidt your example is different to the person that you quoted!
they use a double profile approach in the config file, 1st profile refers to the second. yours is in a single profile with an SSO profile
??????????????
This seems to be a fundamental problem which undercuts Amplify's usability. I can't recommend this to my team if their first interaction with it will be a hacky auth workaround. It's essential that this tool supports SSO.
hi all! trying to follow the above but continuously getting the error
amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project myamplifyapp
The following configuration will be applied:
Project information
| Name: myamplifyapp
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start
? Initialize the project with the above configuration? Yes
Using default provider awscloudformation
? Select the authentication method you want to use: AWS profile
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
? Please choose the profile you want to use amplify-sso-profile
🛑 The security token included in the request is invalid.
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/
in my ~/.aws/config I have an sso-session defined and a profile that uses that sso-session
[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json
[session aws-sso-session]
sso_start_url = xxx
sso_region = xxx
sso_registration_scopes = xxx
this works perfecly, for example: aws sso login --profile aws-profile
logs me in, and I can execute commands in the accounts aws-profile is configured for example aws s3 ls --profile aws-profile
now for the amplify cli, I have added the following
[profile amplify-sso-profile]
credential_process = "aws configure export-credentials --profile aws-profile"
but having the issue as shown in the log message (The security token included in the request is invalid.)
as per https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
The AWS CLI runs the command as specified in the profile and then reads data from STDOUT. The command you specify must generate JSON output on STDOUT that matches the following syntax.
so I am not sure why this is not working?
aws sso login --profile aws-profile
before running amplify init
aws s3 ls --profile aws-profile
works after logging-in and before running amplify init
[profile amplify-sso-profile]
) and converted [profile aws-profile]
as follows, however amplify init
(choosing the right profile) still fails with the same error[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json
credential_process = "aws configure export-credentials --profile aws-profile"
I was able to get it to work once by using access-key instead of profile (and using temporary credentials from the SSO login page); however of course this failed after an hour when the credentials expired
I can certainly agree though, that it would not be the worst thing in the world if Amplify CLI natively supported SSO after this many years
@josefaidt / @lorengordon I drew the most intuition / insight from your comments, hence my solution looks the most like your suggestions - maybe you have an idea where I went wrong?
-- next day: progress --
looking at my ~/.aws/config
I had the wrong region in my amplify profile - fixed that and now I get
🛑 The security token included in the request is expired
even though did an sso login immediately before hand
I looked again at @kiborkm post (https://github.com/aws-amplify/amplify-cli/issues/4488#issuecomment-1607699922) and noticed that it uses aws sso login --sso-session <session>
(instead of --profile); I replicated that profile setup, but still
🛑 The security token included in the request is expired
aws sso login --profile <profile>
results in the same issue
I have tried to use access-keys (as I did yesterday, copying+pasting from the SSO page "Command line or programatic access" but get the following today (for some reason... no idea why!)
Using default provider awscloudformation
? Select the authentication method you want to use: AWS access keys
? accessKeyId: ********************
? secretAccessKey: ****************************************
? region: us-east-1
Invalid configuration settings!
So, instead I have added a profile in ~/.aws/config
[profile amplify-stc]
region = xxx
and then a matching credentials in ~/.aws/credentials
[amplify-stc]
aws_access_key_id=xxx
aws_secret_access_key=xxx
aws_session_token=xxx
and I will update this each time with new credentials - you could use a script like @romeubertho alludes to, to automatically update the credentials after SSO Login
so, for anyone who comes after me! possible solutions:
credential_process
(does not work for me, yet - short of AWS actually fixing the amplify CLI, this is what I am aiming for - so if anyone can point me to why my config doesn't work, I'd be greatful)aws init
etc; though you will have to update the keys constantly (amplify configure project
will allow you to change keys or profile) :: Not Recommended ~/.aws/credentials
and update this file, manually or automatically each time you need to SSO login (this is what I am doing now)~/.aws/credentials
(https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh/tree/master) I can't think of any other options just now :) hope that helps someone in the future
now to debug why credential_process
and accessKeys instead of profile is not working for me :)
Describe the bug
Amplify CLI Version 4.21.1
To Reproduce
Expected behavior Update my local development environment
Desktop