Amplify-cli: Amplify CLI doesn't support Federated Login

@wolfeidau We do support Federated login as a part of the auth category.

From the stack trace you provided, it seems like the AWS credentials you provided during the init/configure process was invalid and that's why this error -> InvalidClientTokenId: The security token included in the request is invalid.

Try running the amplify configure command to setup an IAM user for the CLI to use and then run the amplify init command in your app and use that IAM user when prompted as a part of the init flow.

@kaustavghosh06 I log into AWS using a federated user, in my case using https://github.com/Versent/saml2aws. This means I have

[wolfeidau]
aws_access_key_id        = xxx
aws_secret_access_key    = xxx
aws_session_token        = xxx

We don't use IAM users in our accounts as they are a security issue, this is common practice for enterprise AWS customers.

AWS mobile has the same issue https://github.com/aws/awsmobile-cli/issues/150

@wolfeidau Got it. Are these credentials stored in your ~/.aws/credentials file. Have you signed an AWS SDK call with these credentials before? If yes, do you include just the session token as a part of signing the request or do you have to include the access key id, secret access key as well as the session token?

Also, can you confirm that the federated user has policies set up for CloudFormation?

@kaustavghosh06 yeah we use these credentials with sam, a range of golang based tools built on the aws SDK and aws CLI.

TBH I was surprised it didn't work as very python or golang tool we used just worked.

This is based on https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/ posted a while back.

@wolfeidau Got it. We'll be implementing this in the coming few days. Thanks for the feedback. I'm assigning a 'Work in progress' tag to this issue.

I had this problem using a federated identity. I configured Amplify to use a profile but it still uses the default configuration. I got it to work by copying the credentials from the profile into the default in ~/.aws/credentials. I don't think it is anything specific to federated identities.

Try copying your [wolfeidau] profile credentials into [default]

Published a new version of the CLI with a fix for this to npm -> 0.1.17. Please install it and feel free to re-open the issue if the problem still persists.

This appears to have regressed; at least with the same actions as OP described, I have the same expectation as OP had, but instead witness same results OP witnessed.

% amplify --version
0.1.38

@wolfeidau We do support Federated login as a part of the auth category.

From the stack trace you provided, it seems like the AWS credentials you provided during the init/configure process was invalid and that's why this error -> InvalidClientTokenId: The security token included in the request is invalid.

Try running the amplify configure command to setup an IAM user for the CLI to use and then run the amplify init command in your app and use that IAM user when prompted as a part of the init flow.

That reply completely missed the point: we use federated users assuming designated IAM roles specifically to avoid creating IAM users. Creating IAM users is not the recommended best security practice.

I had this problem using a federated identity. I configured Amplify to use a profile but it still uses the default configuration. I got it to work by copying the credentials from the profile into the default in ~/.aws/credentials. I don't think it is anything specific to federated identities.

Try copying your [wolfeidau] profile credentials into [default]

Moving credentials into the [default] profile had no effect, AFAICT.

From https://github.com/aws-amplify/amplify-cli/issues/407#issuecomment-443036004 comes the answer:

Note, you must manually add your profile into .aws/config, or amplify init won't use it.

This "requirement" is not enforced by many other AWS-published CLI. Creating the named profile in both .aws/config and .aws/credentials caused amplify init to prompt me whether to use a profile, and allowed me to select the profile containing credentials for the federated user.

So, although this is resolved, it indicates another, separate bug with this CLI.