Amplify-cli: Construct the credentials from environment variables

Created on 7 Nov 2018 · 3Comments · Source: aws-amplify/amplify-cli

Is your feature request related to a problem? Please describe.
We don't have any IAM users in the AWS accounts in which we run our solutions. We always interact with the AWS accounts with federated users. We are not allowed to store access key ids and secrets outside a vault (we are using macos keychain). For command-line scripts we use aws-vault (see additional context for an example).

Describe the solution you'd like
I would like that amplify cli constructs the credentials from environment variables just like the regular aws cli. This is a generic solution not specific to any tool. A tool like aws-vault generates the necessary environment variables.

AWS_REGION=eu-west-1
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
AWS_SESSION_TOKEN=XXX

Describe alternatives you've considered
There is no workaround that is compliant with our company policies.

Additional context
amplify --version > 0.1.32

Running the init command now fails:

aws-vault exec solution-profile -- amplify init

? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building javascript
Please tell us about your project
? What javascript framework are you using react
? Source Directory Path:  src
? Distribution Directory Path: build
? Build Command:  npm run-script build
? Start Command: npm run-script start
Using default provider awscloudformation

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? accessKeyId:  <YOUR_ACCE**********
? secretAccessKey:  <YOUR_SECRET************
? region:  eu-west-1
init failed
Error: Invalid configuration settings
    at configProject.then.then (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/amplify-provider-awscloudformation/lib/configuration-manager.js:57:13)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:228:7)

Note we want to leave the accessKeyId and secretAccessKey empty, because they are provided in environment variables.

configure feature-request

Source

rehos

👍18

Most helpful comment

I have managed to a solution working with aws-vault which uses MFA and is federated from a parent account that only deals with useraccess. It works as follows.

my ./aws/config looks like

[profile PROFILE_NAME]
output=json
region=eu-west-1
source_profile=PROFILE_VAULT_USES
role_arn=arn:aws:iam::AWS_ACCOUNT:role/rolename
mfa_serial=arn:aws:iam::AWS_ACCOUNT_MFA:mfa/MFA_NAME

[profile amplify-PROFILE_NAME]
output=json
region=eu-west-1
credential_process=aws-vault exec PROFILE_NAME --json

You can then run:
aws-vault exec PROFILE_NAME amplify init

When you are asked for Please choose the profile you want to use you can then choose

amplify-PROFILE_NAME

Everything after that can be ran as:

aws-vault exec PROFILE_NAME amplify status

blastedcode on 26 Jan 2020

👍8

All 3 comments

@UnleashedMind Our company is facing the same issue. Could you please provide any timeline for this feature?

vpavlenko on 29 Nov 2018

👍1

Same. I tried to make a workaround per https://docs.aws.amazon.com/cli/latest/topic/config-vars.html, using credential_process to retrieve the credentials. That did not work as amplify appears to be trying to read the .aws/credentials file itself and not support this option.

So instead I wrote a script to modify the keys in the `.aws/credentials' file, adding it to my existing script for setting up my environment.

PROFILE=my-aws-profile
# Your process that sets your AWS environment:
# source $HOME/bin/ssologin.sh $PROFILE

# Update credentials file
CRED=$HOME/.aws/credentials
cp $CRED ${CRED}.old
cat ${CRED}.old | awk "/\[${PROFILE}\]/ { skip=1 } /^$/ { skip = 0 } { if (skip != 1) print }" > $CRED
echo "[${PROFILE}]" >> $CRED
echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $CRED
echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $CRED
echo "aws_session_token=$AWS_SESSION_TOKEN" >> $CRED

Note, you must manually add your profile into .aws/config, or amplify init won't use it. I didn't script this because it doesn't change.

[profile my-aws-profile]
region=us-west-2

kernwig on 30 Nov 2018