Getting NoCredentials Error while performing List, Upload and Other file actions on S3 bucket from Amplify V6 react application

[saurabhunde]

Before opening, please confirm:

• [x] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Storage

Amplify Version

v6

Amplify Categories

auth, storage

Backend

Amplify CLI

Environment information

``` # Put output below this line System: OS: Windows 10 10.0.17763 CPU: (8) x64 Intel(R) Core(TM) i5-8365U CPU @ 1.60GHz Memory: 7.79 GB / 15.74 GB Binaries: Node: 20.11.0 - C:\Program Files\nodejs\node.EXE npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD Browsers: Internet Explorer: 11.0.17763.2989 npmPackages: @aws-amplify/ui-react: ^6.1.6 => 6.1.6 @aws-amplify/ui-react-internal: undefined () @headlessui/react: ^1.7.18 => 1.7.18 @heroicons/react: ^2.1.1 => 2.1.1 @hookform/resolvers: ^3.3.4 => 3.3.4 @hookform/resolvers/ajv: 1.0.0 @hookform/resolvers/arktype: 1.0.0 @hookform/resolvers/class-validator: 1.0.0 @hookform/resolvers/computed-types: 1.0.0 @hookform/resolvers/io-ts: 1.0.0 @hookform/resolvers/joi: 1.0.0 @hookform/resolvers/nope: 1.0.0 @hookform/resolvers/superstruct: 1.0.0 @hookform/resolvers/typanion: 1.0.0 @hookform/resolvers/typebox: 1.0.0 @hookform/resolvers/valibot: 1.0.0 @hookform/resolvers/vest: 1.0.0 @hookform/resolvers/yup: 1.0.0 @hookform/resolvers/zod: 1.0.0 @reduxjs/toolkit: ^2.2.1 => 2.2.1 @reduxjs/toolkit-query: 1.0.0 @reduxjs/toolkit-query-react: 1.0.0 @reduxjs/toolkit-react: 1.0.0 @types/react: ^18.2.43 => 18.2.48 @types/react-dom: ^18.2.17 => 18.2.18 @vitejs/plugin-react: ^4.2.1 => 4.2.1 @zxing/browser: ^0.1.4 => 0.1.4 @zxing/library: ^0.20.0 => 0.20.0 autoprefixer: ^10.4.17 => 10.4.17 aws-amplify: ^6.0.20 => 6.0.20 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () eslint: ^8.55.0 => 8.56.0 eslint-config-prettier: ^9.1.0 => 9.1.0 eslint-plugin-import: ^2.29.1 => 2.29.1 eslint-plugin-react: ^7.33.2 => 7.33.2 eslint-plugin-react-hooks: ^4.6.0 => 4.6.0 eslint-plugin-react-refresh: ^0.4.5 => 0.4.5 luxon: ^3.4.4 => 3.4.4 moment: ^2.30.1 => 2.30.1 postcss: ^8.4.33 => 8.4.33 prettier: ^3.2.5 => 3.2.5 react: ^18.2.0 => 18.2.0 react-barcode: ^1.4.6 => 1.4.6 react-datepicker: ^6.4.0 => 6.4.0 react-dom: ^18.2.0 => 18.2.0 react-dropzone: ^14.2.3 => 14.2.3 react-hook-form: ^7.50.1 => 7.50.1 react-qr-code: ^2.0.12 => 2.0.12 react-redux: ^9.1.0 => 9.1.0 react-router-dom: ^6.22.1 => 6.22.1 tailwindcss: ^3.4.1 => 3.4.1 vite: ^5.0.8 => 5.0.12 vite-plugin-pwa: ^0.17.5 => 0.17.5 yup: ^1.3.3 => 1.3.3 npmGlobalPackages: @aws-amplify/cli: 12.10.1 corepack: 0.23.0 npm: 10.2.4 ```

Describe the bug

I am trying to perform List, Upload file actions in my amplify react application. But I am getting below error while performing file upload and list files operations. Error : NoCredentials: Credentials should not be empty.

Note- We are using federated usrs from Azure AD and have configured Azure AD ipd using SAML. All of the users will logging through this idp only. And we need to provide S3 file access to logged in users only.

I followed below steps to add and configure storage using Amplify CLI. Please refer below section

Expected behavior

1. Files should get uploaded to S3 bucket by only authenticated users
2. Should get list of files from S3 bucket for authenticated users

Reproduction steps

1. amplify add storage

2. Answered questions like below

   • Please select from one of the below mentioned services: -Content (Images, audio, video, etc.)
   • You need to add auth (Amazon Cognito) to your project in order to add storage for user files. Do you want to add auth now?- Yes
   • Do you want to use the default authentication and security configuration?- Default configuration
   • Do you want to configure advanced settings?- No, I am done.
   • Please provide a friendly name for your resource that will be used to label this category in the project: -testS3
   • Please provide bucket name:testS3bucket
   • Who should have access:Auth users
   • What kind of access do you want for Authenticated users? - create/update, read, delete
   • Do you want to add a Lambda Trigger for your S3 Bucket? - No

3. Configured- Amplify.configure({ .... //added S3 config Storage: { S3: { bucket: "testS3bucket", region: "us-east-1", } } })

4. Refer File upload and List files code from below code snippets

Code Snippet

// Put your code below this line.
//Upload file code
import { uploadData } from 'aws-amplify/storage';
try {
  const result = await uploadData({
    key: filename,
    data: file,
    options: {
      accessLevel: 'private'
    }
  }).result;
  console.log('Succeeded: ', result);
} catch (error) {
  console.log('Error : ', error);

//List files code
import { list } from 'aws-amplify/storage';
try {
  const result = await list();
} catch (error) {
  console.log(error);
}

Log output

Console Error while listing files

``` Error: NoCredentials: Credentials should not be empty. at assertValidationError (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:462:11) at resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:644:3) at async list (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:1984:51) at async listAllBuckets (http://localhost:5173/src/components/ ```

Console error while upload

``` Error : NoCredentials: Credentials should not be empty. at assertValidationError (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:462:11) at resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:644:3) at async http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:1450:64 at async http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:502:22 at async handleFileChange (http://localhost:5173/ ```

aws-exports.js

No response

Manual configuration

Amplify.configure({
    Auth: {
        Cognito: {
            userPoolClientId: 'xxxxxxxxxxxxxxxxxx',
            userPoolId: 'xxxxxxxxxxxxx',
            loginWith: {
                oauth: {
                    domain: 'xxxxxxxx.amazoncognito.com',
                    scopes: ['openid email aws.cognito.signin.user.admin'],
                    redirectSignIn: ['http://localhost:5173'],
                    redirectSignOut: ['http://localhost:5173'],
                    responseType: 'code',
                },
            },
        },
    },
    API: {
        GraphQL: {
            endpoint:
                'https://xxxxxxxxxamazonaws.com/graphql',
            region: 'xxxx',
            defaultAuthMode: 'userPool',
        },
    },
    Storage: {
        S3: {
            bucket: "testS3Bucket",
            region: "xxxxx", 
        }
    }
});

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[sumitsahoo]

Amplify documentation really needs a revamp. A lot of things are either not documented or fail to work :(

[saurabhunde]

@nadetastic Please assist us with this issue.

If it helps, I am mentioning below links of previously riased issues of same project by our team. https://github.com.mcas.ms/aws-amplify/amplify-cli/issues/13240 https://github.com.mcas.ms/aws-amplify/amplify-js/issues/13119

[cwomack]

Hello, @saurabhunde 👋. It looks like you're missing the identityPoolId in your scoped Auth config. See an example of what the shape should look like here (click on existing resources block switcher). Can you add that in and see if you still get the error?

@sumitsahoo, that's valid feedback and we would love to hear how we can make it better! Feel free to open up a docs issue here or let me know via a reply back if there's something specific you're looking for. I think we could make the scoped examples for configs a little easier to find (rather than buried inside that last option of the block switcher).

[sumitsahoo]

@cwomack I have added identityPoolId in the scoped Auth config and now the error has changed.

Updated Auth config:

Amplify.configure({
    Auth: {
        mandatorySignIn: false,
        Cognito: {
            userPoolClientId: amplifyconfig.aws_user_pools_web_client_id,
            userPoolId: amplifyconfig.aws_user_pools_id,
            loginWith: {
                oauth: {
                    domain: amplifyconfig.oauth.domain,
                    scopes: ['openid email aws.cognito.signin.user.admin'],
                    redirectSignIn: ['http://localhost:5173'],
                    redirectSignOut: ['http://localhost:5173'],
                    responseType: 'code',
                },
            },
            identityPoolId: amplifyconfig.aws_cognito_identity_pool_id,
        },
    },
    API: {
        GraphQL: {
            endpoint:
                xyz.aws_appsync_graphqlEndpoint,
            region: 'eu-west-1',
            // Set the default auth mode to "userPool"
            defaultAuthMode: 'userPool',
        },
    },
    Storage: {
        S3: {
            bucket: "xyz-dev",
            region: "eu-west-1", 
        },
    }
});

Here is error message:

InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool.
    at parseJsonError (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:2871:17)
    at async getCredentialsForIdentityDeserializer (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:4387:19)
    at async CognitoAWSCredentialsAndIdentityIdProvider.credsForOIDCTokens (http://localhost:5173/node_modules/.vite/deps/chunk-S5WU6PHE.js?v=ca1ab44f:4865:26)
    at async AuthClass.fetchAuthSession (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:1010:34)
    at async resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-K4YCOUCR.js?v=ca1ab44f:641:39)
    at async list (http://localhost:5173/node_modules/.vite/deps/chunk-K4YCOUCR.js?v=ca1ab44f:1984:51)
    at async listAllBuckets (http://localhost:5173/src/components/PAVManagement/PAVForm.jsx:68:22)

[saurabhunde]

Hi @cwomack , Thank you for your reponse on my issue. Could you please provide an exmaple IAM role and its policies that we can add to Cognito Identity Pool which allows CRUD operations on S3 for authenticated Cognito users? As menioned by @sumitsahoo, we are facing above error even after adding identity pool id in Amplify configuration

[electronicalias]

I'm also getting similar. If I configure my Auth as follows, then basically every API I have starts complaining - these are all different Amplify projects that import the Auth cateory. There had been no changes prior to today and we were working on something unrelated to work round another bug.

Auth: {
              Cognito: {
                  identityPoolId: <imported>
                  userPoolId: <imported>
                  userPoolClientId: <imported>
              }
          },

When I remove identityPoolId the site and it's APIs work ok, but it breaks the ability to upload/create presigned URLs.

When identityPoolId is configured as shown, I get:

message:  "Invalid identity pool configuration. Check assigned IAM roles for this pool."
__type:  "InvalidIdentityPoolConfigurationException"

When I remove identityPoolId I get the following messages when trying to upload files:

Profile.tsx:361 Error:  NoIdentityId: Missing identity ID when accessing objects in protected or private access level.
    at assertValidationError (http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:485:11)
    at resolveS3ConfigAndInput (http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:660:3)
    at async http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:1498:76
    at async http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:529:22
    at async customRequestFileUploader (http://localhost:8000/routes/Profile.tsx?t=1721830282460:291:28)

My upload configuration is as follows:

const uploadedFile = await uploadData({
        path: ({identityId}) => `protected/${identityId}/profile.${fileExtension}`,
        data: file,
        options: {
          onProgress // Optional progress callback.
        }
}).result;

Finally, when I call:

const { username, userId, signInDetails } = await getCurrentUser()
const authSession = await fetchAuthSession()

signInDetails are empty, as is the identityId in the response from fetchAuthSession()

[mutablestudio]

I was having similar issues switching between public (apiKey) and Cognito user pool users. Would get errors like NoCredentials or NoValidAuthTokens when I would sign out and try to switch to apiKey or sign in and switch Amplify config to userPool. What worked was not messing around w re-configuring Amplify and just switching auth modes when calling generateClient() for API calls.

import amplifyconfig from '../amplifyconfiguration.json'
import { generateClient } from 'aws-amplify/api'
...
Amplify.configure(amplifyconfig,{})
...
  getClient() {
    return generateClient({ authMode: store.getState().appStateInRedux.signedIn ? 'userPool' : 'apiKey' })
  }
...
//if userSub, then we have a userPool user, call s3 api
fetchAuthSession().then((session) => {
      userSession = session
      if (userSession.userSub) {
        uploadFilePath = 'protected/' + userSession.identityId + '/' + fileName
      }
      const uploadedFile = await uploadData({
        path: uploadFilePath,
        data: file,
      }).result
}
...
//other places where I call the AppSync API
getClient().graphql(...)

I could not find this documented anywhere, the authMode param in generateClient, however it is there if you check the types for CommonPublicClientOptions. Hopefully this helps someone. This is a react native project and aws pkg details below:

"aws-amplify": "6.3.6"

[girzel]

I'm also running into this, aws-amplify 6.6.0. Auth and storage configured manually. I hadn't had an identity pool configured, but finally figured out that that was why the auth session had no identityId, leading to storage breakage. As soon as I added an identity pool, got "Invalid identity pool configuration. Check assigned IAM roles for this pool.".

[Samaritan1011001]

@sumitsahoo How are you creating your identityPool? Are you doing it manually or via CLI? If manually, it appears to me that there might be a misconfiguration issue between IAM and the identityPool.

[sumitsahoo]

@sumitsahoo How are you creating your identityPool? Are you doing it manually or via CLI? If manually, it appears to me that there might be a misconfiguration issue between IAM and the identityPool.

We created it manually and then imported it from Amplify console.

[cwomack]

@saurabhunde and others following this issue, I'll work on reproducing this locally and following up with any additional questions. With the amount of people experiencing this, it sounds like there's either a bug or (at minimum) a gap in our documentation.