search

rahulpsd18 / cognito-backup-restore

AIO Tool for backing up and restoring AWS Cognito User Pools
MIT License
196 stars 63 forks source link

Please support Cognito authentication using roles #11

Open cafl opened 4 years ago

cafl commented 4 years ago

It seems you only accept a key/password IAM credential. Using a role is a best practice. In the aws config file this is specified as follows (example from aws cli documentation): [profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata

ophintor commented 4 years ago

This also does not work from a EC2 instance that has an instance profile assigned and therefore straight access to AWS. Why are you forcing the --profile or credential parameters?

This is the error I got:

$ cbr backup --region eu-west-2 --pool xxxxxx --dir /tmp/cognitobackup
fs.js:114
    throw err;
    ^

Error: ENOENT: no such file or directory, open '/home/ec2-user/.aws/credentials'
    at Object.openSync (fs.js:443:3)
    at Object.readFileSync (fs.js:343:35)
    at Object.readFileSync (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.<anonymous> (/usr/lib/node_modules/cognito-backup-restore/build/cli/options.js:48:39)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
vladistan commented 4 years ago

This is actually very easy to fix. Somebody already done that

https://github.com/jakubkrzykowski/cognito-backup-restore/commit/0340e779792b9ec21360ec9087b631df96bcfa0d

I have his commit in my own fork of this repo. What's missing before it's final is to make some type of parameter to switch to this behavior

rahulpsd18 commented 4 years ago

Can you please try using v1.3.1 and let me know if this is fixed?

idharper commented 3 years ago

I am trying v1.3.2 but it is still looking in .aws/credentials even when I give it a profile from .aws/config which has a role.

I am trying cbr backup --profile my-role --region us-east-2 --userpool all

But it comes back asking for my AWS profile and offering the 2 I have in .aws/credential

Am I doing something wrong ?

rutabagaman commented 3 years ago

I am trying v1.3.2 but it is still looking in .aws/credentials even when I give it a profile from .aws/config which has a role. I am trying cbr backup --profile my-role --region us-east-2 --userpool all But it comes back asking for my AWS profile and offering the 2 I have in .aws/credential Am I doing something wrong ?

I have this exact same issue with v1.3.2. I have an .aws/credentials file and an .aws/config file with the role. It keeps prompting me for the 2 entries I have in .aws/credential and ignores the profile name i passed in.

Any resolution on this?