How To Use with AWS Control Tower temporary credentials?

[cwaldbieser]

Note: If your question is regarding the AWS Amplify Console service, please log it in the
AWS Amplify Console repository

Which Category is your question related to?
I think "amplify-cli". I'm not exactly sure after reading the contributing guidelines.

Amplify CLI Version

You can use amplify -v to check the amplify cli version on your system
4.50.0

What AWS Services are you utilizing?
I was Authentication, API, Storage, Datastore.

Provide additional details e.g. code snippets

Basically, my workplace uses AWS Control Tower and a multi-account strategy. We don't allow the routine creation of IAM users-- those are only used for integrations with non-AWS services. We use the AWS SSO portal to obtain temporary credentials to use in the commandline. For example, with the AWS CLI or the codecommit helper, or even 3rd part tools like (Zappa)[https://github.com/Miserlou/Zappa]. For the most part, this works fine.

I tried to use temporary credentials with the amplify CLI, and it did not seem to work. The tool wouldn't pick up my credentials from the environment. If I selected the other option instead of "Profile", I was prompted for an API KEY ID and an API SECRET, but not a SESSION TOKEN, so authentication failed.

I'm just wondering what the strategy is that I'm supposed to use to work with the amplify CLI and get it to accept my credentials.

[edwardfoyle]

Hi @cwaldbieser we don't have great native support for SSO yet but you should be able to get this working by creating an AWS profile with a session token. To do that, add the following to ~/.aws/credentials:

[profile-name]
aws_access_key_id=xxxxx
aws_secret_access_key=xxxxx
session_token=xxxxx

Then select this profile as the authentication method for the CLI.

There are also some solutions in the comments of this feature request: #4488

[cwaldbieser]

Well, I tried this, and several other methods:

$ amplify configure
Follow these steps to set up access to your AWS account:

Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue

Specify the AWS Region
? region:  us-east-1
Specify the username of the new IAM user:
? user name:  (amplify-Vop00) 
^C

As you can see, I am still being asked to create an IAM user. This is pretty much a no-go for me.
I've been trying to use Amplify because all the docs on using the AWS Javascript SDK wit Cognito keep steering me here, and Amplify is supposed to be making my development experience easier, but I think I must be trying to put a square peg in a round hole.

Do you know if there is some documentation/tutorials on how to use the AWS JavaScript SDK with Cognito that doesn't involve Amplify? I could probably come up with some front-end / back-end solution by using API Gateway and passing around my own JWTs with some kind of shared secret on the back end, but I'd really like to stay in line with mainstream practice if there is such a thing.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.