-
Notifications
You must be signed in to change notification settings - Fork 823
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Amplify CLI support AWS SSO #4488
Comments
I have a problem adding a new env with the Amplify CLI that uses a SSO profile. Getting
|
I tried another way but I also had problems. You must delete the "amplify" directory of your project
Attempting to automatically open the SSO authorization page in your default browser. https://device.sso.us-east-1.amazonaws.com/ Then enter the code: XXXX-XXXX
For more information on AWS Profiles, see: ? Do you want to use an AWS profile? Yes
|
Hi folks, we also face a similar problem with slightly different error messages. |
You may be able to use aws-sso-credential-process with If that doesn't work, there is a workaround, developed for the CDK (which has the same problem): aws/aws-cdk#5455 (comment) |
The aws2-wrap method referenced by @benkehoe is working absolutely fine for CDK. However, the amplify issue isn't getting resolved by it. Is there some other way that anyone has been able to get the amplify to work with sso credentials since the time this issue was first created? |
Hey, folks, let me know if this helps, since I was facing a very similar problem and (I think) I "fixed" it:
Fixing:
|
@nishitjain13 Did you try the Additionally, |
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can also give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks. |
I followed the above instructions with |
Ok I figured out the issue. For this
|
Also an (empty) |
…used with SSO and with credential_process Make sure the right profile is used when using credential_process When using credential_process in the AWS profile (to get SSO to work for example) the ProcessCredentials Provider is used. When using the default chain from the aws-sdk no options are passed to it and it default to using AWS_PROFILE. With this change, we detect ```credential_process``` and specifically pass the profile name into the credential chain to ensure it gets used. re aws-amplify#4488
Thanks @benkehoe, the |
I could use Amplify CLI and AWS SSO profiles together with following process and without any third party tools: Amplify CLI Version: 12.1.1
|
Hey folks 👋 as a few have pointed out here in the thread you can use AWS IAM Identity Center with Amplify! Following the AWS guide from @kiborkm's comment above you'll end up with a profile config in # ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1
[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access To workaround the following error you will need to add a
# ~/.aws/config
[profile mysso-profile]
sso_session=mysso-session # point to the `sso-session` entry
sso_account_id=xxx
sso_role_name=AdministratorAccess
region=us-east-1
+ credential_process=aws sso login --profile mysso-profile
[sso-session mysso-session]
sso_start_url=https://xxx.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access With this example upon calling
There is an active bug where the Unexpected token A in JSON at position 0 I will keep this request open to support SSO without needing to specify a |
@josefaidt I don't believe that actually works in any way that depends on the standard interface of What @kiborkm suggested was a slightly different approach, using a newish feature of the AWS CLI:
That works because the command defaults to outputting the credentials in the format expected by
Still, as you say, even that config should not be necessary. So, yeah, appreciate keeping the issue open until amplify is properly supporting AWS SSO and the AWS SDK Credential Chain. |
Just ran into this and running into an issue with an AWS tool not supporting AWS SSO best practices without workarounds at the very beginning of the investigation into said tool is a knock to its credibility. |
thanks mate. this issue has had me stumped for hours and this is the only thing that has worked 100% clearly every time. so this goes into my process docs for now. cheers! |
Yes but SET IT WHERE? |
The example is representative of profiles in the aws cli config file. |
the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify" but what does that mean, where do you "SET" it? how is this setup used? It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end. |
And btw the documentation clearly has many ways of configuring Auth in CLI, and Amplify CLI does not seem to operate within AWS CLI boundaries. |
sorry .. I guess what they should have said was... When using the amplify CLI , SELECT the admin-amplify profile from the list as the amplify CLI steps you through asking for what type of credential you want to use. one should be selecting the "profile" option, and then the profiles from the aws cli config file are read and presented in the list.. instead of picking the one with the sso settings you pick the one with the "credential_process =" defined in it.. and it doesn't make a difference what the profile names are.. you can change them.. this is the structure of how to do it. |
Sorry but this does not help either. |
A simple question: when amplify commands run, what profile or credentials are these commands using? There are no keys exported, no default profiles - everything is SSO based. Where is this information about profile stored in amplify? How to change it? |
I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no. What's the alternative for security-aware organization with SSO?
|
I tried the workaround @josefaidt proposed in the comments and the one by @kiborkm here. Unfortunately, I did not have success in both approaches :( When I do 🛑 The security token included in the request is expired
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/
Session Identifier: 0624a60c-87a1-4d95-b3d5-52ce6053cf6c I did the following workaround to work:
function amplify-dev(){
aws sso login --profile dev
CREDENTIALS=$(aws configure export-credentials --profile dev)
aws configure set aws_access_key_id $(echo $CREDENTIALS | jq -r '.AccessKeyId') --profile amplify-dev
aws configure set aws_secret_access_key $(echo $CREDENTIALS | jq -r '.SecretAccessKey') --profile amplify-dev
aws configure set aws_session_token $(echo $CREDENTIALS | jq -r '.SessionToken') --profile amplify-dev
} For this workaround work you need to make sure you have:
The |
This issue/bug/feature has been stuck in limbo for more than 3 years, and as a result Amplify developers working in multi-account environments with SSO (ie following AWS's well-architected framework) have to hand-roll a variety of their own authentication scripts or copy and paste values out of the web interface to do something that should be seamless. Is there any way this can be upgraded in priority @SwaySway @siegerts and assigned a label that indicates it is core functionality of Amplify instead of a feature? |
@josefaidt they use a double profile approach in the config file, 1st profile refers to the second. ?????????????? |
This seems to be a fundamental problem which undercuts Amplify's usability. I can't recommend this to my team if their first interaction with it will be a hacky auth workaround. It's essential that this tool supports SSO. |
hi all! trying to follow the above but continuously getting the error
in my ~/.aws/config I have an sso-session defined and a profile that uses that sso-session
this works perfecly, for example: now for the amplify cli, I have added the following
but having the issue as shown in the log message (The security token included in the request is invalid.) as per https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
so I am not sure why this is not working?
I was able to get it to work once by using access-key instead of profile (and using temporary credentials from the SSO login page); however of course this failed after an hour when the credentials expired I can certainly agree though, that it would not be the worst thing in the world if Amplify CLI natively supported SSO after this many years @josefaidt / @lorengordon I drew the most intuition / insight from your comments, hence my solution looks the most like your suggestions - maybe you have an idea where I went wrong? -- next day: progress -- I looked again at @kiborkm post (#4488 (comment)) and noticed that it uses I have tried to use access-keys (as I did yesterday, copying+pasting from the SSO page "Command line or programatic access" but get the following today (for some reason... no idea why!)
So, instead I have added a profile in and then a matching credentials in and I will update this each time with new credentials - you could use a script like @romeubertho alludes to, to automatically update the credentials after SSO Login so, for anyone who comes after me! possible solutions:
I can't think of any other options just now :) hope that helps someone in the future now to debug why |
You can skip the I came across this thread trying to figure it out, this is what I ended up with:
Hope it helps! |
I have SSO set up with Google Workspaces. The issue was with Chrome. When it tried to authenticate during the completion of
I manually signed out of this profile and went through |
The Rosetta Stone for me was finding that amplify uses the profile information stored in (for example) {
"dev": {
"configLevel": "project",
"useProfile": false,
"awsConfigFilePath": "/Users/bilbo/.amplify/awscloudformation/nQKUFafyPf"
}
} or like this: {
"dev": {
"configLevel": "project",
"useProfile": true,
"profileName": "bilbo-admin"
}
} The file in the first example needs to contain updated credentials or you will eventually get the dreaded It's also worth noting that the tokens from The bottom line is that this file controls everything - if you aren't updating those specific credentials or using that named profile you are barking up the wrong tree (as I did for way too long). |
Describe the bug
Amplify CLI Version
4.21.1
To Reproduce
Expected behavior
Update my local development environment
Desktop
The text was updated successfully, but these errors were encountered: