amplify pull (headless) fail to pull configuration when used with github actions on ubuntu

[dkliss]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.10.1

What operating system are you using?

ubuntu

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Hi,

I have a github action wokrflow as shown below. When I run this in github actions, the AWS credentials are processed correctly and I can see that by checking of aws s3 ls shows me all s3 files. However, after that when i like to pull my aws amplify configuration via "aws amplify pull" but the github action workflow is stuck at "Opening link: https://us-east-1.admin.amplifyapp.com/admin/[redacted]/dev/verify/?loginVersion=1". When I open the link, it ask me to copy a key back.
I expected all this to work programatically without my intervention. Is there anything missing here from my side? I am using github Provider (token.actions.githubusercontent.com), which is setup along with required IAM role and aws integration is working.

Also I see no logs for amplify pull. I expected the amplify pull to retrieve my configured envoirnment.

jobs:
  flutter_test:
    name: Run flutter test and analyze
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Flutter        
        uses: subosito/flutter-action@v2
        with:
          channel: "stable"
      - run: flutter --version      
      - name: Install AWS CLI
        run: |
          sudo apt-get update
          sudo apt-get install -y awscli
      - name: Install Amplify CLI
        run: |
          npm install -g @aws-amplify/cli
      - run: amplify --version
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: ${{ env.AWS_AUDIENCE }}
          role-to-assume: ${{ env.AWS_ROLE }}
          aws-region: ${{ env.AWS_REGION }}
          role-session-name: GitHubActionsSession
      - name: Check if AWS can access s3 buckets
        run: aws s3 ls
      - name: Pull latest changes from Amplify backend
        run: amplify pull --appId ${{ env.AWS_APPID }} --envName ${{ env.AWS_ENV }}  --verbose --yes

Describe the bug

amplify pull does not work in github action. It is stuck at opening link as example below

19m 7s
Run amplify pull --appId [redacted]-envName dev  --verbose --yes
  amplify pull --appId [redacted] --envName dev  --verbose --yes
  shell: /usr/bin/bash -e {0}
  
Opening link: https://github.com[redacted]/actions/runs/[redacted]/job/[redacted]#step:10:7/dev/verify/?loginVersion=1

Expected behavior

amplify pull shall retrieve latest configuration from aws amplify.

Reproduction steps

1. Setup AWS amplify from local PC with authentication etc.
2. Push the changes to aws server.
3. Setup github action as Identity provider in AWS.
4. Now setup a github action workflow as per workflow i provided above.
5. Pull the aws amplify configuration via github actions which was pushed from local PC.
6. ISSUE: Pull is stuck for long time at "opening link".

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[josefaidt]

Hey @dkliss 👋 thanks for raising this! From the logs printed from that pull attempt it appears you have Amplify Studio enabled for this app, which will cause the CLI to default to Studio for authentication. There is a known issue where the Amplify CLI is not able to read credentials from environment variables. Can you try the workaround here? #10484 (comment)

Or try echoing those credentials to a temporary AWS profile in the GitHub Action runner?

[dkliss]

#10484 (comment)

Thanks @josefaidt for your response & Script. Below is what worked from me after some trials. If these looks as expected. then we can close (if this issue is already tracked).

OPTION 1: If I Disable Amplify Studio, then below works after adding aws configure set.

jobs:
  flutter_test:
    name: Run flutter test and analyze
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Flutter        
        uses: subosito/flutter-action@v2
        with:
          channel: "stable"
      - run: flutter --version      
      - name: Install AWS CLI
        run: |
          sudo apt-get update
          sudo apt-get install -y awscli
      - name: Install Amplify CLI
        run: |
          npm install -g @aws-amplify/cli
      - run: amplify --version
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: ${{ env.AWS_AUDIENCE }}
          role-to-assume: ${{ env.AWS_ROLE }}
          aws-region: ${{ env.AWS_REGION }}
          role-session-name: GitHubActionsSession
      - name: Check if AWS can access s3 buckets
        run: aws s3 ls
      # Amplify CLI does not support headless pull with temporary credentials
      # when useProfile is false.
      # See: https://github.com/aws-amplify/amplify-cli/issues/11009.
      - name: Create temp AWS profile
        run: |
          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID && \
          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY && \
          aws configure set aws_session_token $AWS_SESSION_TOKEN && \
          aws configure set default.region $AWS_REGION
      - name: Check if AWS can access s3
        run: aws s3 ls
      - name: Pull latest changes from Amplify backend
        run: amplify pull --appId ${{ env.AMPLIFY_APP_ID }} --envName ${{ env.AMPLIFY_STAGE }}  --verbose --yes 

OPTION 2: If I enable (or even keep disabled) Amplify Studio, then below works (after trying out from #11009).

jobs:
  flutter_test:
    name: Run flutter test and analyze
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Flutter        
        uses: subosito/flutter-action@v2
        with:
          channel: "stable"
      - run: flutter --version      
      - name: Install AWS CLI
        run: |
          sudo apt-get update
          sudo apt-get install -y awscli
      - name: Install Amplify CLI
        run: |
          npm install -g @aws-amplify/cli
      - run: amplify --version
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: ${{ env.AWS_AUDIENCE }}
          role-to-assume: ${{ env.AWS_ROLE }}
          aws-region: ${{ env.AWS_REGION }}
          role-session-name: GitHubActionsSession
      - name: Check if AWS can access s3 buckets
        run: aws s3 ls
     # Amplify CLI does not support headless pull with temporary credentials
      # when useProfile is false.
      # See: https://github.com/aws-amplify/amplify-cli/issues/11009.
      # https://github.com/aws-amplify/amplify-cli/issues/7642#issuecomment-875881203      
      - name: Create temp AWS profile
        run: |
          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID && \
          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY && \
          aws configure set aws_session_token $AWS_SESSION_TOKEN && \
          aws configure set default.region $AWS_REGION
      - name: Check if AWS can access s3
        run: aws s3 ls
      - name: Setup AWS credentials
        run: |
          #!/bin/bash
          set -eu # set e quits on first error, u errors if any variable is unset
          IFS='|'
          # The following env vars are expected to be set:
          # AMPLIFY_APP_ID: d39y0000000000
          # AMPLIFY_STAGE: preprod
          # AWS_REGION: us-east-1
          # AWS_ACCESS_KEY_ID: ***
          # AWS_SECRET_ACCESS_KEY: ***
          # The last three AWS_ variables are set by aws-actions/configure-aws-credentials

          # Verify all vars are set. set -u ensures these error and stop the script
          : "${AMPLIFY_APP_ID?Need to set AMPLIFY_APP_ID}"
          : "${AMPLIFY_STAGE?Need to set AMPLIFY_STAGE}"
          : "${AWS_REGION?Need to set AWS_REGION}"
          : "${AWS_ACCESS_KEY_ID?Need to set AWS_ACCESS_KEY_ID}"
          : "${AWS_SECRET_ACCESS_KEY?Need to set AWS_SECRET_ACCESS_KEY}"

          echo "Working with branch/env ${AMPLIFY_STAGE}"

          # amplify doesn't support session tokens like the rest of AWS, so we have manually
          # construct ~/.aws files:
          # https://github.com/aws-amplify/amplify-cli/issues/7642#issuecomment-875881203

          # https://docs.amplify.aws/cli/usage/headless/#sample-script-3

          AWSCLOUDFORMATIONCONFIG="{\
          \"configLevel\":\"general\",\
          \"useProfile\":false,\
          \"profileName\":\"${AWS_PROFILE:-default}\",\
          \"region\":\"$AWS_REGION\"\
          }"

          AMPLIFY="{\
          \"projectName\":\"ReliefBackend\",\
          \"appId\":\"$AMPLIFY_APP_ID\",\
          \"envName\":\"$AMPLIFY_STAGE\",\
          \"defaultEditor\":\"none\"\
          }"

          PROVIDERS="{\
          \"awscloudformation\":$AWSCLOUDFORMATIONCONFIG\
          }"

          echo "running: amplify pull..."

          amplify pull \
          --amplify $AMPLIFY \
          --providers $PROVIDERS \
          --yes

[ykethan]

@dkliss both options provided should work as expected. If the project does not require Amplify Studio, you can disable this on the console but can be re-enabled if your use case requires this and utilize the headless command to pull the backend.
Closing the issue, do reach out to us if you require additional assistance on this.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.