Amplify-cli: Adding new env with a different profile doesn't work
Note: If your issue/bug is regarding the AWS Amplify Console service, please log it in the
official AWS Amplify Console forum
Describe the bug
I created a new amplify project using amplify cli. Then I added an auth component and pushed it to cloud. I tried adding new environment and selected a different profile for this environment. Pushing to cloud created the stack in the same AWS account as the first environment.
To Reproduce
Steps to reproduce the behavior:
amplify init
amplify add auth
amplify push
amplify env add
amplify push
AWS profiles are configured using .aws/credentials, aws configure list outputs following:
Default:
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************CZ3Q shared-credentials-file
secret_key ****************3KT4 shared-credentials-file
region eu-central-1 config-file ~/.aws/config
Other:
Name Value Type Location
---- ----- ---- --------
profile production manual --profile
access_key ****************2K6L assume-role
secret_key ****************wdpP assume-role
region eu-central-1 config-file ~/.aws/config
Local aws info file looks like this:
{
"dev": {
"configLevel": "project",
"useProfile": true,
"profileName": "default"
},
"prod": {
"configLevel": "project",
"useProfile": true,
"profileName": "production"
}
}
Expected behavior
I would expect amplify to deploy the new env to new profile. But i doesn't. We use one account for dev and one for production, using a role to switch.
Desktop (please complete the following information):
- OS: Ubuntu
- Browser: Chrome
- Version: 70
Additional context
- node --version: v10.15.3
- amplify --version: 1.1.7
Goues
All 5 comments
Could you please show us the contents of your ~/.aws/config and ~/.aws/credentials files? Please use the strings <access_key_id> and <secrect_access_key> to replace the actual key strings, we just need to see the structure.
The aws configure list command list the current configuration for the aws cli, it does not apply to the amplify cli.
UnleashedMind
on 20 Mar 2019
when you say, "We use one account for dev and one for production, using a role to switch.", how did you set it up?
If that's the case, you should select the profiles with the roles, instead of the dev and production credentials.
Please follow the steps outlined in this document:
https://aws-amplify.github.io/docs/cli/init#assuming-an-iam-role
UnleashedMind
on 20 Mar 2019
Here are my credentials and config:
[default]
aws_access_key_id=<access_key_id>
aws_secret_access_key=<secrect_access_key>
[production]
role_arn=arn:aws:iam::<account_id>:role/CrossAccountSignin
source_profile=default
[default]
region=eu-central-1
output=json
[profile production]
region=eu-central-1
output=json
Here is a full log from amplify:
$ amplify env add
Note: It is recommended to run this command from the root of your app directory
? Do you want to use an existing environment? No
? Enter a name for the environment prod
Using default provider awscloudformation
For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html
? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use production
⠇ Initializing project in the cloud...
CREATE_IN_PROGRESS bbx-admin-20190321100710 AWS::CloudFormation::Stack Thu Mar 21 2019 10:07:10 GMT+0100 (Central European Standard Time) User Initiated
CREATE_IN_PROGRESS DeploymentBucket AWS::S3::Bucket Thu Mar 21 2019 10:07:15 GMT+0100 (Central European Standard Time)
CREATE_IN_PROGRESS AuthRole AWS::IAM::Role Thu Mar 21 2019 10:07:15 GMT+0100 (Central European Standard Time)
CREATE_IN_PROGRESS UnauthRole AWS::IAM::Role Thu Mar 21 2019 10:07:15 GMT+0100 (Central European Standard Time)
⠋ Initializing project in the cloud...
CREATE_IN_PROGRESS AuthRole AWS::IAM::Role Thu Mar 21 2019 10:07:16 GMT+0100 (Central European Standard Time) Resource creation Initiated
CREATE_IN_PROGRESS UnauthRole AWS::IAM::Role Thu Mar 21 2019 10:07:16 GMT+0100 (Central European Standard Time) Resource creation Initiated
CREATE_IN_PROGRESS DeploymentBucket AWS::S3::Bucket Thu Mar 21 2019 10:07:17 GMT+0100 (Central European Standard Time) Resource creation Initiated
⠧ Initializing project in the cloud...
CREATE_COMPLETE AuthRole AWS::IAM::Role Thu Mar 21 2019 10:07:33 GMT+0100 (Central European Standard Time)
CREATE_COMPLETE UnauthRole AWS::IAM::Role Thu Mar 21 2019 10:07:34 GMT+0100 (Central European Standard Time)
⠏ Initializing project in the cloud...
CREATE_COMPLETE DeploymentBucket AWS::S3::Bucket Thu Mar 21 2019 10:07:37 GMT+0100 (Central European Standard Time)
CREATE_COMPLETE bbx-admin-20190321100710 AWS::CloudFormation::Stack Thu Mar 21 2019 10:07:40 GMT+0100 (Central European Standard Time)
✔ Successfully created initial AWS cloud resources for deployments.
✔ Initialized provider successfully.
Initialized your environment successfully.
Your project has been successfully initialized and connected to the cloud!
Some next steps:
"amplify status" will show you what you've added already and if it's locally configured or deployed
"amplify <category> add" will allow you to add features like user login or a backend API
"amplify push" will build all your local backend resources and provision it in the cloud
"amplify publish" will build all your local backend and frontend resources (if you have hosting category added) and provision it in the cloud
Pro tip:
Try "amplify add api" to create a backend API and then "amplify publish" to deploy everything
Even though I selected the "production" profile, the stack is created in default profile.
I read though the Assuming an IAM role docs, but I might be misunderstanding what it is actually trying to achieve because the final step is to put access key and secret key to credentials, but I don't have any access key and secret key, I only have my dev account and a role to access production environment.
Goues
on 21 Mar 2019
Your config and credentials files are not correctly setup.
Follow this section of the doc to correctly set it up
https://aws-amplify.github.io/docs/cli/init#assuming-an-iam-role
The ~/.aws/config file should contain contents like this:
[default]
region=eu-central-1
output=json
[profile production]
role_arn=arn:aws:iam::<account_id>:role/CrossAccountSignin
source_profile=default
region=eu-central-1
output=json
And the ~/.aws/credentials file should contain contents like this:
[default]
aws_access_key_id=<access_key_id>
aws_secret_access_key=<secrect_access_key>
and when the cli prompt you to select a profile, do NOT select the user, but select the profile associated with the role.
UnleashedMind
on 26 Mar 2019
Thank you for your response, the problem seems to be in the fact that serverless we use for other projects expects the role to be set in credentials and not config. So for anyone else trying to find the right config, it works if you copy paste the role in both. Strangle, aws cli itself "sees" both.
~/.aws/credentials
[default]
aws_access_key_id=<access_key_id>
aws_secret_access_key=<secrect_access_key>
# Put your role_arn here to work with serverless
[production]
role_arn=arn:aws:iam::<account_id>:role/CrossAccountSignin
source_profile=default
~/.aws/config
[default]
region=eu-central-1
output=json
# Put your role_arn here to work with amplify
[profile production]
role_arn=arn:aws:iam::<account_id>:role/CrossAccountSignin
source_profile=default
region=eu-central-1
output=json
You can close this issue now, thank you again.
Goues
on 27 Mar 2019
Related issues
amlcodes
·
3Comments
jeanpaulcozzatti
·
3Comments
jexh
·
3Comments
gabriel-wilkes
·
3Comments
MageMasher
·
3Comments
Most helpful comment
Thank you for your response, the problem seems to be in the fact that
serverlesswe use for other projects expects the role to be set in credentials and not config. So for anyone else trying to find the right config, it works if you copy paste the role in both. Strangle, aws cli itself "sees" both.~/.aws/credentials~/.aws/configYou can close this issue now, thank you again.