Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Construct the credentials from environment variables #407

Open
rehos opened this issue Nov 7, 2018 · 17 comments
Open

Construct the credentials from environment variables #407

rehos opened this issue Nov 7, 2018 · 17 comments
Labels
feature-request Request a new feature p3 platform-config Issues related to configuring project settings

Comments

@rehos
Copy link

rehos commented Nov 7, 2018

Is your feature request related to a problem? Please describe.
We don't have any IAM users in the AWS accounts in which we run our solutions. We always interact with the AWS accounts with federated users. We are not allowed to store access key ids and secrets outside a vault (we are using macos keychain). For command-line scripts we use aws-vault (see additional context for an example).

Describe the solution you'd like
I would like that amplify cli constructs the credentials from environment variables just like the regular aws cli. This is a generic solution not specific to any tool. A tool like aws-vault generates the necessary environment variables.

AWS_REGION=eu-west-1
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
AWS_SESSION_TOKEN=XXX

Describe alternatives you've considered
There is no workaround that is compliant with our company policies.

Additional context
amplify --version > 0.1.32

Running the init command now fails:

aws-vault exec solution-profile -- amplify init

? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building javascript
Please tell us about your project
? What javascript framework are you using react
? Source Directory Path:  src
? Distribution Directory Path: build
? Build Command:  npm run-script build
? Start Command: npm run-script start
Using default provider awscloudformation

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? accessKeyId:  <YOUR_ACCE**********
? secretAccessKey:  <YOUR_SECRET************
? region:  eu-west-1
init failed
Error: Invalid configuration settings
    at configProject.then.then (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/amplify-provider-awscloudformation/lib/configuration-manager.js:57:13)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:228:7)

Note we want to leave the accessKeyId and secretAccessKey empty, because they are provided in environment variables.

@vpavlenko
Copy link

@UnleashedMind Our company is facing the same issue. Could you please provide any timeline for this feature?

@kernwig
Copy link

kernwig commented Nov 29, 2018

Same. I tried to make a workaround per https://docs.aws.amazon.com/cli/latest/topic/config-vars.html, using credential_process to retrieve the credentials. That did not work as amplify appears to be trying to read the .aws/credentials file itself and not support this option.

So instead I wrote a script to modify the keys in the `.aws/credentials' file, adding it to my existing script for setting up my environment.

PROFILE=my-aws-profile
# Your process that sets your AWS environment:
# source $HOME/bin/ssologin.sh $PROFILE

# Update credentials file
CRED=$HOME/.aws/credentials
cp $CRED ${CRED}.old
cat ${CRED}.old | awk "/\[${PROFILE}\]/ { skip=1 } /^$/ { skip = 0 } { if (skip != 1) print }" > $CRED
echo "[${PROFILE}]" >> $CRED
echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $CRED
echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $CRED
echo "aws_session_token=$AWS_SESSION_TOKEN" >> $CRED

Note, you must manually add your profile into .aws/config, or amplify init won't use it. I didn't script this because it doesn't change.

[profile my-aws-profile]
region=us-west-2

@kaustavghosh06 kaustavghosh06 added question General question configure feature-request Request a new feature and removed enhancement question General question labels Apr 5, 2019
@UnleashedMind UnleashedMind removed their assignment Aug 8, 2019
@blastedcode
Copy link

blastedcode commented Jan 26, 2020

I have managed to a solution working with aws-vault which uses MFA and is federated from a parent account that only deals with useraccess. It works as follows.

my ./aws/config looks like

[profile PROFILE_NAME]
output=json
region=eu-west-1
source_profile=PROFILE_VAULT_USES
role_arn=arn:aws:iam::AWS_ACCOUNT:role/rolename
mfa_serial=arn:aws:iam::AWS_ACCOUNT_MFA:mfa/MFA_NAME

[profile amplify-PROFILE_NAME]
output=json
region=eu-west-1
credential_process=aws-vault exec PROFILE_NAME --json

You can then run:
aws-vault exec PROFILE_NAME amplify init

When you are asked for Please choose the profile you want to use you can then choose

amplify-PROFILE_NAME

Everything after that can be ran as:

aws-vault exec PROFILE_NAME amplify status

@aws-amplify aws-amplify deleted a comment from pecigonzalo Sep 3, 2020
@maartenvanderhoef
Copy link

Can you please stop being the worst AWS project ever.

@pecigonzalo
Copy link

Any clues as to why my comment was deleted?

@kjones
Copy link

kjones commented Feb 26, 2021

It would be nice if CLI had a way to do this. When asking for credentials options being able to say "please just use my AWS_*" environment variables. Especially since the CLI is so "bad" at prompting for MFA creds. Half the time I forget and just stare at a spinning wheel (macos), then remember.. "Oh, it is prompting me for a new MFA entry that is nicely hidden behind the spinning wheel".

@tgardiner
Copy link

Just upgraded to 4.50.0 and now it seems there is no way to fetch credentials from the environment. Not sure if that was ripped out earlier, but either way seems like a step in the wrong direction. Must be one of the only aws cli tools that doesn't support that functionality?

@DarkSector
Copy link

Yeah, 4.50.0 doesn't allow you to use environment variables for access keys. If it worked before, it definitely doesn't work now.

@tgardiner
Copy link

@DarkSector from my testing 4.46.0 is the last version that supports environment variables

@DarkSector
Copy link

Can confirm 4.46.0 allows you to use environment variables by selecting AWS Profile as the option.

@cyrfer
Copy link

cyrfer commented Jun 4, 2021

I confirm recent versions (4.52.0) allow deploy (init + push) via environment variables:

1. AWS_ACCESS_KEY_ID
2. AWS_SECRET_ACCESS_KEY

Unfortunately those credentials must be OBTAINED FROM A USER, and not a more secure option like temporary credentials by assuming a IAM Role via STS because Amplify does not provide a way to pass the:

3. AWS_SESSION_TOKEN

Please add support by passing all 3 items required by AWS authorization.

@edwardfoyle edwardfoyle added platform-config Issues related to configuring project settings and removed configure labels Aug 17, 2021
@olivierpichon
Copy link

+1 Having amplify not supporting STS and short leave tokens is problematic from a compliance stand point.

@josefaidt
Copy link
Contributor

Hey @cyrfer and @olivierpichon STS support has since been added to the Amplify CLI, and the CLI will read from the AWS_SESSION_TOKEN environment variable 🙂

Closing issue

@nerdyness
Copy link

Hi @josefaidt, could you please explain how I get amplify CLI to read this AWS_SESSION_TOKEN environment variable? I've tried various things but Amplify 8.4.0 stubbornly refuses to use my temporary credentials 🤷‍♂️

@letsbelopez
Copy link
Contributor

@nerdyness amplify CLI can't read credentials as environment variables as of 10.5.2. You will need to create a temporary ~/.aws/credentials and ~/.aws/config file with the environment variables before using the CLI.

You can use the aws cli to do it like this. Note you must create a config file or you will get this error: Failed to get profile: Cannot read properties of undefined (reading 'accessKeyId')

aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID && \
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY && \
aws configure set aws_session_token $AWS_SESSION_TOKEN && \
aws configure set default.region $AWS_REGION

@josefaidt josefaidt reopened this Jan 10, 2023
@josefaidt
Copy link
Contributor

related #10484

@jckimble
Copy link

Amplify accepting env variables would help for devcontainers also. Been looking how to get amplify to load a profile from codespace secrets and ran across this issue. Fixing to look into abusing credential_process with a node script but would be nice if it was supported upstream

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Request a new feature p3 platform-config Issues related to configuring project settings
Projects
None yet
Development

No branches or pull requests