Amplify-cli: Support for Session-Based Credentials

Created on 15 May 2020  路  2Comments  路  Source: aws-amplify/amplify-cli

Describe the bug
I prefer _not_ to store long-lived credentials in my ~/.aws/credentials, to increase my security posture.

The AWS CLI supports the use of short-lived, session-scoped credentials. This topic is discussed here.

I am trying to provide credentials to amplify CLI in the same way.

When I do amplify init ., the command will _fail_, if I am using environment-based session credentials:

Using default provider  awscloudformation
AWS access credentials can not be found.
? Setup new user No

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? accessKeyId:  ASIAXWWQ3X**********
? secretAccessKey:  /fNQ4zvx+C6dh2yFAud/********************
? region:  us-east-1
init failed
Error: Profile configuration is missing for: default
    at Object.getProfiledAwsConfig (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/amplify-provider-awscloudformation/lib/system-config-manager.js:82:11)
    at Object.getAwsConfig (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/amplify-provider-awscloudformation/lib/configuration-manager.js:638:45)
    at Object.run (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/amplify-provider-awscloudformation/lib/initializer.js:23:50)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)

Amplify CLI Version
4.13.4

To Reproduce

  1. amplify init .
  2. Blah blah...
  3. Setup new user? No.
  4. Copy paste access key / secret key. Choose us-east-1 as region.
  5. Observe it blow up

Expected behavior
When I say "No" to setup new user, the CLI should inspect my environment and see that I have session credentials available. It shouldn't prompt me to paste stuff.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • Mac OS X @ 10.14.6 (18G3020)
  • Node @ v12.12.0

Additional context
Information about my environment:

cat ~/.aws/credentials | wc
       0       0       0

# Redacting the values, but they're there.
declare | awk -F\= '/^AWS_/ { print $1 }'
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
bug platform work-in-progress
Source
picture jamesonwilliams

Most helpful comment

The error that you saw is a bug, I'm currently working on a fix.
However, in order to use temp credentials with the Amplify CLI, you can not use the workflow you listed above. That workflow does not take temp credentials.
In order to use temp credentials, you need to manually setup a profile in the ~/.aws/config and the ~/.aws/credentials file with the aws_session_token in the profile(doc), and then when you run amplify init on your project, select that profile when prompted.

picture UnleashedMind on 16 May 2020
👍2

All 2 comments

The error that you saw is a bug, I'm currently working on a fix.
However, in order to use temp credentials with the Amplify CLI, you can not use the workflow you listed above. That workflow does not take temp credentials.
In order to use temp credentials, you need to manually setup a profile in the ~/.aws/config and the ~/.aws/credentials file with the aws_session_token in the profile(doc), and then when you run amplify init on your project, select that profile when prompted.

UnleashedMind picture UnleashedMind on 16 May 2020
👍2

Closing as stale for now to clear my open issues list. Will re-open if I can reference this from a contributed PR.

jamesonwilliams picture jamesonwilliams on 22 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nason picture nason  路  3Comments
ffxsam picture ffxsam  路  3Comments
kangks picture kangks  路  3Comments
YikSanChan picture YikSanChan  路  3Comments
onlybakam picture onlybakam  路  3Comments