Amplify-cli: 'amplify init' not pulling role_arn when using MFA

@IsmaelMartinez
#613 has already been resolved, the latest version of the CLI has the ability to assume role and handle MFA.
We have a step to step guide on how to create and assume an IAM role here:
https://aws-amplify.github.io/docs/cli/init#assuming-an-iam-role

Please provide the following information so we can help to resolve your issue:
What is the version of the CLI you are using?
How is the user and the role defined in your ~/.aws/config file?
Please share the related contents in your ~/.aws/credentials and ~/.aws/config files, mask the actual keys strings, we only need to see the structure.

Hi @UnleashedMind , Thanks for the quick reply.

I am using version 1.1.8.

My ~/.aws/config file is:

[profile dv]
role_arn=arn:aws:iam::account-id:role/rol-with-permissions
region=eu-west-1

The credentials file is:

[default]
role_arn=arn:aws:iam::account-id:role/rol-with-permissions

[dv-long-term]
role_arn=arn:aws:iam::account-id:role/rol-with-permissions
aws_access_key_id=AccessKeyStuff
aws_secret_access_key=SecretHashKeyStuff
mfa_serial=arn:aws:iam::account-id:mfa/[email protected]
aws_mfa_device=arn:aws:iam::account-id:mfa/[email protected]

[dv]
role_arn=arn:aws:iam::account-id:role/rol-with-permissions
region=eu-west-1
source_profile=default
assumed_role=True
aws_access_key_id=AccessKeyStuff
aws_secret_access_key=SecretHashKeyStuff
aws_session_token=PrettyLongTokenStuff
aws_security_token=PrettyLongTokenStuff
expiration=YYYY-MM-DD hh:mm:ss

I have added the role_arn into each section to see if it did improve the situation. Initially, it was only on the [dv] part.

I the env variable AWS_DEFAULT_PROFILE and AWS_PROFILE are "dv"

I can do aws s3 ls and cdk deploys with this configuration, but can't run the amplify init

Thanks!

Your config and credentials files are not correctly setup.
Follow this section of the doc to correctly set it up
https://aws-amplify.github.io/docs/cli/init#assuming-an-iam-role

The ~/.aws/config file should contain contents like this:

[profile bizcorprole]
role_arn=<role_arn_from_part#1>
source_profile=devcorpuser
mfa_serial=<mfa_serial_from_part_2.3---optional>
external_id=<external_id_as_mentioned_in_part#1--optional>
region=us-east-1

[profile devcorpuser]
region=us-east-1

And the ~/.aws/credentials file should contain contents like this:

[devcorpuser]
aws_access_key_id=<key_id_from_part_2.2>
aws_secret_access_key=<secret_access_key_from_part_2.2>

and when the cli prompt you to select a profile, do NOT select the user, but select the profile associated with the role.

This issue is in the same category as https://github.com/aws-amplify/amplify-cli/issues/1072

Closing this issue. If you're still blocked on this, feel free to re-open or respond to this thread.

I will check it once I am back from holidays but thanks for the info/help.

@kaustavghosh06 @UnleashedMind do you no longer support this? The documentation got nuked.

@jkeys-ecg-nmsu We have this doc out here - https://aws-amplify.github.io/docs/cli-toolchain/usage#iam-roles--mfa

@kaustavghosh06 yeah sorry I found it. I was referencing these posts which have a broken url. https://github.com/aws-amplify/amplify-cli/issues/1100#issuecomment-475717527 https://github.com/aws-amplify/amplify-cli/issues/1100#issuecomment-476787423

@jkeys-ecg-nmsu We refactored our docs and some sub-links are not redirected correctly.