[Feature Request] Amplify CLI support AWS SSO

[v1pz3n]

Describe the bug

$ amplify env pull
⠦ Fetching updates to backend environment: dev from the cloud.(node:10308) UnhandledPromiseRejectionWarning: Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:10308) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:10308) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
⠋ Fetching updates to backend environment: dev from the cloud.

Amplify CLI Version
4.21.1

To Reproduce

1. aws sso login --profile dev
2. amplify pull or amplify env pull

Expected behavior
Update my local development environment

Desktop

• OS: Linux Mint 19.3
• Node Version. v14.3.0

[ahansson89]

I have a problem adding a new env with the Amplify CLI that uses a SSO profile. Getting

init failed
Error: connect ETIMEDOUT 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: 'ETIMEDOUT',
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-06-08T05:08:14.592Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: 'ETIMEDOUT',
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-06-08T05:08:14.592Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: 'ETIMEDOUT',
      code: 'ETIMEDOUT',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-06-08T05:08:14.592Z,
      originalError: [Object]
    }
  }
}

[v1pz3n]

I tried another way but I also had problems.

You must delete the "amplify" directory of your project

$ aws sso login --profile amplify

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX
Successully logged into Start URL: https://amplify.awsapps.com/start

$ amplify pull

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use amplify

Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: -113,
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-06-13T22:09:10.614Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: -113,
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-06-13T22:09:10.614Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: -113,
      code: 'EHOSTUNREACH',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-06-13T22:09:10.614Z,
      originalError: [Object]
    }
  }
}

[vgoetz]

Hi folks,

we also face a similar problem with slightly different error messages.
I've tried to describe it here also for the 'amplify init' command:

Issue when AWS Profile unable to run amplify init

[benkehoe]

You may be able to use aws-sso-credential-process with AWS_SDK_LOAD_CONFIG=1 set to enable AWS SSO credentials to be used.

If that doesn't work, there is a workaround, developed for the CDK (which has the same problem): aws/aws-cdk#5455 (comment)

[nishitjain13]

The aws2-wrap method referenced by @benkehoe is working absolutely fine for CDK. However, the amplify issue isn't getting resolved by it. Is there some other way that anyone has been able to get the amplify to work with sso credentials since the time this issue was first created?

[MFranca]

Hey, folks, let me know if this helps, since I was facing a very similar problem and (I think) I "fixed" it:
Setup

• Multiple AWS Accounts in AWS Organization with AWS Single Sign-On enabled for those accounts;
• Amplify with Angular (10) SPA - using basically (import) auth and (add) hosting;
  Issue: multiple profiles not working or amplify ends up publishing in the wrong (default) account.

$> amplify publish -c
× There was an error pulling the backend environment dev.
An error occurred during the push operation: The provided token has expired.

Fixing:

1. Run $> aws configure sso (for each AWS Account/profile) ==> this will update (only) the ~/.aws/config (Linux & Mac) or %USERPROFILE%.aws\config (Windows) file;
2. Copy the information from the SSO User Portal URL (repeat this step when the token expires) - command line or programmatic access (Option 2: Add a profile to your AWS credentials file) ==> user portal is something like 'https://xyz.awsapps.com/start#/'
3. Edit the ~/.aws/credentials (Linux & Mac) or %USERPROFILE%.aws/credentials (Windows) and paste the information from add cancel to delete and minor readme/help text changes #2. Save;
4. Run the command again: success.

[benkehoe]

@nishitjain13 Did you try the credential_process method using aws-sso-util instead of aws2-wrap? I have updated the documentation for it here.

Additionally, aws-export-credentials supports AWS SSO and allows you to inject environment variables with your credentials.

[urz9999]

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can also give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

[pantone170145]

Did you try the credential_process method using aws-sso-util instead of aws2-wrap? I have updated the documentation for it here.

@benkehoe
Thank you. I solved the problem in my environment (aws-amplify/cli 4.41.2).
I needed AWS_SDK_LOAD_CONFIG=1

[mrserverless]

I followed the above instructions with AWS_SDK_LOAD_CONFIG=1 using credential_process method with aws-sso-util. However it appears that the AWS CLI completely ignores the credential process as per this issue here: #6882

[mrserverless]

Ok I figured out the issue. For this credential_process to work, all of the following conditions must be met:

• Set AWS_SDK_LOAD_CONFIG=1
• Set AWS_Profile={your profile}
• Run amplify init and select the same {your profile} when prompted

[tjmcewan]

Also an (empty) ~/.aws/credentials file needed. #6882 (comment)

[stormlrd]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

thanks mate. this issue has had me stumped for hours and this is the only thing that has worked 100% clearly every time. so this goes into my process docs for now. cheers!

[qwikag]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

Yes but SET IT WHERE?

[stormlrd]

A workaround I just got working was to make another profile with the credential_process set to call the sso login command, i.e.

[profile admin]
sso_start_url = https://xxxxxxxx.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = xxxxxxxxxx
sso_role_name = AWSAdministratorAccess
region = us-east-1
output = json

[profile admin-amplify]
credential_process = aws sso login --profile admin

Note: you'll need to replace the values for the profile names, sso_start_url, sso_account_id for this to work for your situation

Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify

Yes but SET IT WHERE?

The example is representative of profiles in the aws cli config file.

[qwikag]

The example is representative of profiles in the aws cli config file.

the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"

but what does that mean, where do you "SET" it? how is this setup used?

It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.

[qwikag]

And btw the documentation clearly has many ways of configuring Auth in CLI, and Amplify CLI does not seem to operate within AWS CLI boundaries.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

[stormlrd]

The example is representative of profiles in the aws cli config file.

the comment clearly says "Then when using the amplify CLI set the profile to the amplify one, in this case: admin-amplify"

but what does that mean, where do you "SET" it? how is this setup used?

It is commentary like this that has meant nobody has a clue how this all works, and noobs come along and fumble with it for days on end.

sorry .. I guess what they should have said was... When using the amplify CLI , SELECT the admin-amplify profile from the list as the amplify CLI steps you through asking for what type of credential you want to use. one should be selecting the "profile" option, and then the profiles from the aws cli config file are read and presented in the list.. instead of picking the one with the sso settings you pick the one with the "credential_process =" defined in it.. and it doesn't make a difference what the profile names are.. you can change them.. this is the structure of how to do it.

[qwikag]

sorry .. I guess what they should have said was...

Sorry but this does not help either.

[stormlrd]

sorry .. I guess what they should have said was...

Sorry but this does not help either.

[OperationalFallacy]

A simple question: when amplify commands run, what profile or credentials are these commands using? There are no keys exported, no default profiles - everything is SSO based.

Where is this information about profile stored in amplify? How to change it?

[OperationalFallacy]

I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no.
What's the consideration for these defaults?

What's the alternative for security-aware organization with SSO?

amplify configure
Follow these steps to set up access to your AWS account:

Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue

Specify the AWS Region
? region:  us-east-1
Follow the instructions at
https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli

to complete the user creation in the AWS console
https://console.aws.amazon.com/iamv2/home#/users/create
Press Enter to continue

Enter the access key of the newly created user:
? accessKeyId:  [hidden] 

[romeubertho]

I tried the workaround @josefaidt proposed in the comments and the one by @kiborkm here. Unfortunately, I did not have success in both approaches :(
amplify version: 12.3.0
aws cli version: aws-cli/2.9.19 Python/3.9.11 Linux/5.10.102.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.20 prompt/off

When I do amplify init and choose my SSO profile I always get the following:

🛑 The security token included in the request is expired

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 0624a60c-87a1-4d95-b3d5-52ce6053cf6c

I did the following workaround to work:

• Created a new profile in ~/.aws/config

[profile amplify-dev]
region=us-east-1

• Added a function in ~/.bashrc

function amplify-dev(){
    aws sso login --profile dev
    CREDENTIALS=$(aws configure export-credentials --profile dev)
    aws configure set aws_access_key_id $(echo $CREDENTIALS | jq -r '.AccessKeyId') --profile amplify-dev
    aws configure set aws_secret_access_key $(echo $CREDENTIALS | jq -r '.SecretAccessKey') --profile amplify-dev
    aws configure set aws_session_token $(echo $CREDENTIALS | jq -r '.SessionToken') --profile amplify-dev
}

For this workaround work you need to make sure you have:

1. jq installed, othwerwise just sudo apt install jq
2. a SSO profile called dev in ~/.aws/config

The amplify-dev function will make SSO login, get the credentials, and add/update it to ~/.aws/credentials to amplify-dev profile.

[justinwiley]

This issue/bug/feature has been stuck in limbo for more than 3 years, and as a result Amplify developers working in multi-account environments with SSO (ie following AWS's well-architected framework) have to hand-roll a variety of their own authentication scripts or copy and paste values out of the web interface to do something that should be seamless.

Is there any way this can be upgraded in priority @SwaySway @siegerts and assigned a label that indicates it is core functionality of Amplify instead of a feature?

[qwikag]

credential_process=aws sso login --profile mysso-profile

@josefaidt
your example is different to the person that you quoted!

they use a double profile approach in the config file, 1st profile refers to the second.
yours is in a single profile with an SSO profile

??????????????

[scarybot]

This seems to be a fundamental problem which undercuts Amplify's usability. I can't recommend this to my team if their first interaction with it will be a hacky auth workaround. It's essential that this tool supports SSO.

[r-colvin]

hi all! trying to follow the above but continuously getting the error

amplify init    
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project myamplifyapp
The following configuration will be applied:

Project information
| Name: myamplifyapp
| Environment: dev
| Default editor: Visual Studio Code
| App type: javascript
| Javascript framework: react
| Source Directory Path: src
| Distribution Directory Path: build
| Build Command: npm run-script build
| Start Command: npm run-script start

? Initialize the project with the above configuration? Yes
Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

? Please choose the profile you want to use amplify-sso-profile
🛑 The security token included in the request is invalid.

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

in my ~/.aws/config I have an sso-session defined and a profile that uses that sso-session

[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json

[session aws-sso-session]
sso_start_url = xxx
sso_region = xxx
sso_registration_scopes = xxx

this works perfecly, for example: aws sso login --profile aws-profile logs me in, and I can execute commands in the accounts aws-profile is configured for example aws s3 ls --profile aws-profile

now for the amplify cli, I have added the following

[profile amplify-sso-profile]
credential_process = "aws configure export-credentials --profile aws-profile"

but having the issue as shown in the log message (The security token included in the request is invalid.)

as per https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

The AWS CLI runs the command as specified in the profile and then reads data from STDOUT. The command you specify must generate JSON output on STDOUT that matches the following syntax.

so I am not sure why this is not working?

• I am doing aws sso login --profile aws-profile before running amplify init
• aws s3 ls --profile aws-profile works after logging-in and before running amplify init
• I have removed the second-profile ([profile amplify-sso-profile]) and converted [profile aws-profile] as follows, however amplify init (choosing the right profile) still fails with the same error

[profile aws-profile]
sso_session = aws-sso-session
sso_account_id = xxxx
sso_role_name = xxxx
region = xxxx
output = json
credential_process = "aws configure export-credentials --profile aws-profile"

I was able to get it to work once by using access-key instead of profile (and using temporary credentials from the SSO login page); however of course this failed after an hour when the credentials expired

I can certainly agree though, that it would not be the worst thing in the world if Amplify CLI natively supported SSO after this many years

@josefaidt / @lorengordon I drew the most intuition / insight from your comments, hence my solution looks the most like your suggestions - maybe you have an idea where I went wrong?

-- next day: progress --
looking at my ~/.aws/config I had the wrong region in my amplify profile - fixed that and now I get
🛑 The security token included in the request is expired
even though did an sso login immediately before hand

I looked again at @kiborkm post (#4488 (comment)) and noticed that it uses aws sso login --sso-session <session> (instead of --profile); I replicated that profile setup, but still
🛑 The security token included in the request is expired
aws sso login --profile <profile> results in the same issue

I have tried to use access-keys (as I did yesterday, copying+pasting from the SSO page "Command line or programatic access" but get the following today (for some reason... no idea why!)

Using default provider  awscloudformation
? Select the authentication method you want to use: AWS access keys
? accessKeyId:  ********************
? secretAccessKey:  ****************************************
? region:  us-east-1
Invalid configuration settings!

So, instead I have added a profile in ~/.aws/config
[profile amplify-stc]
region = xxx

and then a matching credentials in ~/.aws/credentials
[amplify-stc]
aws_access_key_id=xxx
aws_secret_access_key=xxx
aws_session_token=xxx

and I will update this each time with new credentials - you could use a script like @romeubertho alludes to, to automatically update the credentials after SSO Login

so, for anyone who comes after me! possible solutions:

1. An SSO Profile with credential_process (does not work for me, yet - short of AWS actually fixing the amplify CLI, this is what I am aiming for - so if anyone can point me to why my config doesn't work, I'd be greatful)
2. Use access_keys in aws init etc; though you will have to update the keys constantly (amplify configure project will allow you to change keys or profile) :: Not Recommended
3. Use temporary credentials stored in ~/.aws/credentials and update this file, manually or automatically each time you need to SSO login (this is what I am doing now)
4. a Plugin like aws-mfa for oh my zsh will essentially do an automatic update of the ~/.aws/credentials (https://github.com/joepjoosten/aws-cli-mfa-oh-my-zsh/tree/master)
5. create an IAM user without SSO for this purpose and use access_keys

I can't think of any other options just now :) hope that helps someone in the future

now to debug why credential_process and accessKeys instead of profile is not working for me :)

[djheru]

I'm trying to understand design philosophy here. Amplify cli by default forces users to create an IAM long-lived key and secret. Which is a big no-no. What's the consideration for these defaults?

What's the alternative for security-aware organization with SSO?

amplify configure
Follow these steps to set up access to your AWS account:

Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue

Specify the AWS Region
? region:  us-east-1
Follow the instructions at
https://docs.amplify.aws/cli/start/install/#configure-the-amplify-cli

to complete the user creation in the AWS console
https://console.aws.amazon.com/iamv2/home#/users/create
Press Enter to continue

Enter the access key of the newly created user:
? accessKeyId:  [hidden] 

You can skip the amplify configure operation after install if you already have a profile you want to use (either regular IAM or SSO). This is a big omission IMO in the documentation. When you run amplify init in your project, you can select "AWS Profile" or "AWS Access Keys". To my mind, using long-lived access keys here is a bad practice, so using profiles is preferred.

I came across this thread trying to figure it out, this is what I ended up with:

[profile dev]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_account_id=XXXXXXXXXXXX
sso_role_name=AdministratorAccess
region=us-east-1
output=json
cli_pager=
sso_session=dev
credential_process=aws sso login --profile dev
[sso-session dev]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access

[profile prod]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_account_id=XXXXXXXXXXXX
sso_role_name=AdministratorAccess
region=us-east-1
output=json
cli_pager=
sso_session=prod
credential_process=aws sso login --profile prod
[sso-session prod]
sso_start_url=https://XXXXXXXXXXXX.awsapps.com/start
sso_region=us-east-1
sso_registration_scopes=sso:account:access

Hope it helps!

[kaunglvlv]

I have SSO set up with Google Workspaces. The issue was with Chrome. When it tried to authenticate during the completion of amplify init, it opened a new Chrome window which had one of my other Google accounts signed in and used that to automatically authenticate which failed with the following error

Failed to get profile credentials

I manually signed out of this profile and went through amplify init again. This time it asked me to sign in to my Google account. Signed in with the correct account hooked up to SSO and it worked. Hope this helps for anyone with Google Workspaces where you may have multiple accounts on your Chrome browser.

[darrenleomiller]

The Rosetta Stone for me was finding that amplify uses the profile information stored in (for example) amplify/.config/local-aws-info.json which will look something like this:

{
  "dev": {
    "configLevel": "project",
    "useProfile": false,
    "awsConfigFilePath": "/Users/bilbo/.amplify/awscloudformation/nQKUFafyPf"
  }
}

or like this:

{
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "bilbo-admin"
  }
}

The file in the first example needs to contain updated credentials or you will eventually get the dreaded The provided token has expired error. You can get those details with aws configure export-credentials --profile bilbo-admin among others.

It's also worth noting that the tokens from aws-sso-util (brilliant!) and aws sso login are not interchangeable and can coexist for the same named profile.

The bottom line is that this file controls everything - if you aren't updating those specific credentials or using that named profile you are barking up the wrong tree (as I did for way too long).

[konstantin-azarov]

Just wanted to report that credential_process = aws configure export-credentials --profile app-dev-amplify-publish worked for me with the AWS CLI 2.17.54 and no third party libraries.

Also I'd like to join to the choir and say that it is unbelievable that Amplify doesn't support recommended AWS authentication schemes out of the box. First it didn't support AWS_* environment variables requiring us to save keys in config files, now it doesn't properly support AWS SSO after 4 years of this issue being open. Overall, I really regret choosing Amplify as our framework back in the day.

[robot-apocalypse]

I was not able to get the credential_process working as described above. Instead I started using gen2, and it seems like that does work with sso, though it'll be a bit of learning curve for us. I'm guessing the amplify folks are focusing their efforts on improving gen2, and gen1 will just go away eventually.

[lorengordon]

@robot-apocalypse What is "gen2"?

[robot-apocalypse]

@lorengordon Here's the release announcement: https://aws.amazon.com/about-aws/whats-new/2024/05/aws-amplify-gen-2-available/

A quick-start for react is here: https://docs.amplify.aws/react/start/quickstart/

It is a "code-first" approach, which mostly gets rid of the cli altogether. I like the idea, but it's pretty new, so real-world examples are hard to find. We'll see

[dwrynngs]

I am currently having issues using credentials-process as described here in the documentation.

https://docs.amplify.aws/gen1/javascript/tools/cli/start/set-up-cli/#manually-configure-the-amplify-cli

I have created my profile according to the documentation, I am exporting my profile, but when I run amplify pull to pull in a backend, and am getting the error

"Failed to get profile credentials
Cannot read properties of undefined (reading 'accessKeyId')"

This is quickly becoming a blocking issue for me, and is very frustrating as I am following all of AWS best practice and documentation and I still cannot get it to work. Am I missing something that the documentation isn't specifying??

[dwrynngs]

I am currently having issues using credentials-process as described here in the documentation.

https://docs.amplify.aws/gen1/javascript/tools/cli/start/set-up-cli/#manually-configure-the-amplify-cli

I have created my profile according to the documentation, I am exporting my profile, but when I run amplify pull to pull in a backend, and am getting the error

"Failed to get profile credentials Cannot read properties of undefined (reading 'accessKeyId')"

This is quickly becoming a blocking issue for me, and is very frustrating as I am following all of AWS best practice and documentation and I still cannot get it to work. Am I missing something that the documentation isn't specifying??

Nothing is working for me now and I cannot debug this. Time to either abandon amplify because of this or abandon sso. really poor from Amplify support that this has gone unanswered and remains at odds with what AWS recommend as the best practice for security.