[v2-feedback] Issue when AWS Profile unable to run amplify init

[jimcal]

Page: https://docs.amplify.aws/start/getting-started/setup?integration=js

Feedback:
Was trying to create an AWS Profile under our corporate federation. Seems that by using accessKeyId and secretAccessKey to setup the profile is no longer enough.

Here is the exception I get:

? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use tutorial
init failed
UnrecognizedClientException: The security token included in the request is invalid.
    at Object.extractError (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.extractError (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
    at Request.callListeners (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/jim/.nvm/versions/node/v12.16.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:685:12) {
  message: 'The security token included in the request is invalid.',
  code: 'UnrecognizedClientException',
  time: 2020-03-23T17:47:10.639Z,
  requestId: 'cd699f59-8494-44a1-aca6-f5aac74b4878',
  statusCode: 403,
  retryable: false,
  retryDelay: 77.16144963242972
}

[renebrandel]

@kaustavghosh06 - do you know what's going on here? Should we transfer this to the CLI repo?

[UnleashedMind]

Could you elaborate on "create an AWS Profile under our corporate federation"?

Does the IAM user that the profile's credential is associated with have all the required permissions for the Amplify CLI?
https://docs.amplify.aws/cli/usage/iam

Is it a temp credential? do you use a role?
https://docs.amplify.aws/cli/usage/iam-roles-mfa

[jimcal]

Hi @UnleashedMind , thanks for your patience.

Our internal tool is aware of the profiles and configuration in ~/.aws/config. It looks like this.

And that role contain this policy. Therefore I assume it would work for Amplify. But this is what I see when running amplify init

UnrecognizedClientException: The security token included in the request is invalid.
https://share.getcloudapp.com/2NuX74z9

More detail about how our internal tool work:

We have a CLI tool that make a call to a token service, then the token service assumes an IAM Role on behalf of an authenticated user and returns back AWS temporary security credentials. We do this via a SSO provider (Okta AWS OIDC). Our tool was inspired by https://github.com/segmentio/aws-okta, and leverage https://github.com/99designs/aws-vault to store IAM credentials.

We have not observe other limitation with AWS CLI when authenticate with AWS with this tool.

Any pointer is appreciated!

[vgoetz]

Hi @UnleashedMind,

we face the same problem after introduce AWS SSO for our developers. If you need more input to reproduce the problem:

Within AWS Organizations we have e.g.:
aws-admin (just for account management, without any resources)
aws-dev (where we are working)
aws-prod (will be created later)

IAM (from root/admin account):
No relevant User here

So far this shouldn't be relevant, just want to give you a complete overview.

AWS SSO Configuration:
AWS Accounts: AWS Organization: aws-dev with Permission set "AdministratorAccess" --> IAM policy "AdministratorAccess" (including Amplify)
Users: Some users assigned to a group "dev" that has Permission set "AdministratorAccess"
A User portal URL is configured for SSO: https://xxx.awsapps.com/start

I can login with such a user over the SSO portal and can also retrieve my credentials over the button "Command line or programmatic access"
Adding that credentials to ~/.aws/credentials (copy & paste) works for a short time (until the session token expires).
Using the amplify cli I can then init, push and pull projects without any problems.

But if I want to work with AWS SSO like it is meant to be (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) it doesn't work!

..more specifically:

$ aws configure sso # introduce a new profile and also set this new account as the default
[...]
$ aws sso login --profile=AdministratorAccess-530xxxxxxx
Successully logged into Start URL: https://xxx.awsapps.com/start
[...]
$ aws s3 ls #works fine
$ amplify init #for a new amplify project (empty folder)
Please choose the profile you want to use: AdministratorAccess-530xxxxxxx
init failed
UnrecognizedClientException: The security token included in the request is invalid.
at Object.extractError (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/json.js:51:27)
at Request.extractError (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
at Request.callListeners (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:690:12) {
code: 'UnrecognizedClientException',
time: 2020-07-21T15:25:11.114Z,
requestId: '80ed1e23-5973-4f20-b8fb-b96c954fbe9f',
statusCode: 403,
retryable: false,
retryDelay: 54.57781621514268
}

---

The same problem for another amplify project which is already pushed:
$ amplify pull
...
Pre-pull status:

Current Environment: dev

Category	Resource name	Operation	Provider plugin
Auth	xxxxxxxyyyyyyyyy	No Change	awscloudformation
Api	yyyyyyyy	No Change	awscloudformation

⠹ Fetching updates to backend environment: dev from the cloud.(node:32580) UnhandledPromiseRejectionWarning: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
at Request.extractError (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/services/s3.js:831:35)
at Request.callListeners (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/Users/viktor.goetz/.nvm/versions/node/v14.1.0/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
(Use node --trace-warnings ... to show where the warning was created)
(node:32580) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:32580) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

[kaustavghosh06]

@jimcal Are you using AWS SSO as well. As a workaround could you try out this recommendation out here - #4488 (comment) ?

[stale]

This issue has been automatically closed because of inactivity. Please open a new issue if you are still encountering problems.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.