Open v1pz3n opened 4 years ago
I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no. What's the consideration for these defaults?
What's the alternative for security-aware organization with SSO?
amplify configure Follow these steps to set up access to your AWS account: Sign in to your AWS administrator account: https://console.aws.amazon.com/ Press Enter to continue Specify the AWS Region ? region: us-east-1 Follow the instructions at https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli to complete the user creation in the AWS console https://console.aws.amazon.com/iamv2/home#/users/create Press Enter to continue Enter the access key of the newly created user: ? accessKeyId: [hidden]
You can skip the amplify configure
operation after install if you already have a profile you want to use (either regular IAM or SSO). This is a big omission IMO in the documentation. When you run amplify init
in your project, you can select "AWS Profile" or "AWS Access Keys". To my mind, using long-lived access keys here is a bad practice, so using profiles is preferred.
I came across this thread trying to figure it out, this is what I ended up with:
[profile dev]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_account_id=XXXXXXXXXXXX
sso_role_name=AdministratorAccess
region=us-east-1
output=json
cli_pager=
sso_session=dev
credential_process=aws sso login --profile dev
[sso-session dev]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access
[profile prod]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_account_id=XXXXXXXXXXXX
sso_role_name=AdministratorAccess
region=us-east-1
output=json
cli_pager=
sso_session=prod
credential_process=aws sso login --profile prod
[sso-session prod]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access
Hope it helps!
I have SSO set up with Google Workspaces. The issue was with Chrome. When it tried to authenticate during the completion of amplify init
, it opened a new Chrome window which had one of my other Google accounts signed in and used that to automatically authenticate which failed with the following error
Failed to get profile credentials
I manually signed out of this profile and went through amplify init
again. This time it asked me to sign in to my Google account. Signed in with the correct account hooked up to SSO and it worked. Hope this helps for anyone with Google Workspaces where you may have multiple accounts on your Chrome browser.
The Rosetta Stone for me was finding that amplify uses the profile information stored in (for example) amplify/.config/local-aws-info.json
which will look something like this:
{
"dev": {
"configLevel": "project",
"useProfile": false,
"awsConfigFilePath": "/Users/bilbo/.amplify/awscloudformation/nQKUFafyPf"
}
}
or like this:
{
"dev": {
"configLevel": "project",
"useProfile": true,
"profileName": "bilbo-admin"
}
}
The file in the first example needs to contain updated credentials or you will eventually get the dreaded The provided token has expired
error. You can get those details with aws configure export-credentials --profile bilbo-admin
among others.
It's also worth noting that the tokens from aws-sso-util
(brilliant!) and aws sso login
are not interchangeable and can coexist for the same named profile.
The bottom line is that this file controls everything - if you aren't updating those specific credentials or using that named profile you are barking up the wrong tree (as I did for way too long).
Describe the bug
Amplify CLI Version 4.21.1
To Reproduce
Expected behavior Update my local development environment
Desktop