Amplify CLI Authentication is not consistent, documentation does not clearly describe setup. Erratic!

[qwikag]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

20.3.1

Amplify CLI Version

12.1.1

What operating system are you using?

Windows 10

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Sorry Unsure.
I would have setup Data Model in the Console???

Describe the bug

Summary:
I am fully installed in VSCode and have been using Amplify for a couple of weeks now. (pushing and pulling on amplify and git)
I just did an 'amplify update auth'
I now wish to run 'amplify push' command from terminal.
I get this error (again like I did weeks ago):

Failed to get profile credentials
Cannot read properties of undefined (reading 'accessKeyId')

Please now head to the bottom for my terminal output...

Background:
For transparency, I am very new to AWS.
Amplify is designed for people like me "technical, but not familiar with detailed AWS services"
So the expectation is that the guides /tutorials just work.

Problem 1 - setting up IAM(SSO) Auth in Amplify-cli is an absolute nightmare, the docs need and overhaul. you may think the guide works but actually it is very confusing. I would be happy to sit down and demonstrate this to the owner of said docs.

Problem 2 - is the issue I am raising right now whereby Auth has been working fine since I got it working a couple of weeks ago.
now it spits out and error right at the end of an amplify push just as it is about to finish

Problem 3 - this experience has been the most frustrating experience of my 30 year IT career. sorry to be blunt but I have never had to deal with such documentation which takes the individual to the 90% mark and drops them off the cliff.

Here is my Terminal Output:
(simplified for readability):

> amplify push      
| Building resource api/myapp✅ GraphQL schema compiled successfully.

Edit your schema at B:\workspace\AWS\org\git\my_app\amplify\backend\api\myapp\schema.graphql or place .graphql files in a directory at B:\workspace\AWS\org\git\my_app\amplify\backend\api\myapp\schema
√ Successfully pulled backend environment main from the cloud.

    Current Environment: main

│ Category │ Resource name │ Operation │ Provider plugin   │
│ Api │ AdminQueries │ Create │ awscloudformation │
│ Function │ AdminQueriesRaNdoMnEsS │ Create │ awscloudformation │
│ Function │ myappRaNdoMnEsSPostConfirmation │ Create    │ awscloudformation │
│ Auth │ myappRaNdoMnEsS │ Update │ awscloudformation │
│ Function │ myappRaNdoMnEsSCreateAuthChallenge │ Delete │ awscloudformation │
│ Function │ myappRaNdoMnEsSDefineAuthChallenge │ Delete │ awscloudformation │
│ Function │ myappRaNdoMnEsSVerifyAuthChallengeResponse │ Delete │ awscloudformation │
│ Api │ myapp │ No Change │ awscloudformation │
│ Auth │ userPoolGroups │ No Change │ awscloudformation │
│ Function │ myappRaNdoMnEsSCustomMessage │ No Change │ awscloudformation │

√ Are you sure you want to continue? (Y/n) · yes

Deployment completed.
Deploying root stack myapp[ ====================================---- ] 8/9
        amplify-myappweb-main-120003   AWS::CloudFormation::Stack     UPDATE_COMPLETE_CLEANUP_IN_PR… Wed Jul 12 2023 19:38:16…
        storagepubliccontent           AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:52…     
        functionmyappRaNdoMnEsScCusto… AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:52…     
        functionmyappRaNdoMnEsSPostC… AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:52…     
        apimyapp                    AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:14…     
        authmyappRaNdoMnEsS           AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:53…     
        functionAdminQueries5bbd3149   AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:55…     
        authuserPoolGroups             AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:55…     
        apiAdminQueries                AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:07…     
Deployed api myapp [ ======================================== ] 12/12
        Organisation                   AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:37:59…     
        Policy                         AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:03…     
        PolicyContent                  AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:02…     
        ConnectionStack                AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:06…     
        CustomResourcesjson            AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Jul 12 2023 19:38:09…     
Deployed api AdminQueries [ ======================================== ] 3/3
Deployed auth myappRaNdoMnEsS [ ======================================== ] 11/11
Deployed auth userPoolGroups [ ======================================== ] 10/10
Deployed function myappRaNdoMnEsSCustomMessage [ ======================================== ] 3/3
Deployed function AdminQueries5bbd3149 [ ======================================== ] 3/3
Deployed function myappRaNdoMnEsSPostConfirmation [ ======================================== ] 3/3

🛑 Failed to get profile credentials
Cannot read properties of undefined (reading 'accessKeyId')

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: RaNdoMnEsS

Expected behavior

It authenticates and finishes successfully!
like other processes I have run.

it is not disparate nor can it be random and sometimes work other times not.
nor is there a need for some many auth setups.

it should be simple and not so hard.

more documented explanation of how it works with a flow diagram of what files are utilised during this process.

Reproduction steps

Add Google Recaptcha to Auth.
amplify Push
publish it fails due to Google Recaptcha
remove Google Recaptcha
amplify Push
Auth error.

really not sure what is causing it so no idea what the steps are.

Project Identifier

No response

Log output

OK I think I found the issue here in the logs, so I continue to log it so someone can address to craziness because this is not in the docs and it also seems to be buggy and disparate technically

Here is the line in my log output that helped: in bold is the culprit:

2023-07-12T08:03:00.325Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileConfig(["AmplifyAdminAccess-012343456789"])

further info below...

Additional information

the Auth Screen on the AWS front door
give me this:
[012343456789_AmplifyAdminAccess]
aws_access_key_id=qwertyasdfgh
aws_secret_access_key=blahdeeblahdebladeeblah
aws_session_token=dytbb5uube//////////wEblahdeeblahdebladeeblahDczMzI1IgblahdeeblahdebladeeblahAIIR...

AmplifyAdminAccess-012343456789 in the logs is completely formatted incorrect and not what is in my config file, nor what is given to me from the AWS START page.

This problem stems from the bad documentation that sent me down many rabbit holes, and may have cause me to write a file wrong at some point, but in any case why have I been able to login and now not :( and why are these 2 formats existing the format of profile names should be a locked in syntax.
and made no mention of a profile name in another config file...
local-aws-ingo.json:
{
"dev": {
"configLevel": "project",
"useProfile": true,
"profileName": "some_other_random_profile_name"
},
"main": {
"configLevel": "project",
"useProfile": true,
"profileName": "AmplifyAdminAccess-012343456789"
}
}

it cannot find:
AmplifyAdminAccess-012343456789
because my config is the opposite way around and has an underscore????

OK updating the local-aws-ingo.json: with the profile name from the auth screen worked.
But something needs to be done to make this easy.
Thank you log files!

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[qwikag]

My recent token expired, and I found that I now must use the credentials file to make my amplify push work.
so both that and the local-aws-ingo.json file have caused this.

So this is all very confusing, when a few days ago I did not need this.

I previously changed version "^4.6.0" of "@aws-amplify/ui-react" back to "^5.0.4"
when trying to solve the fact that my cognito auth is not working either!

maybe that caused some of the IAM(SSO) difference?

[ykethan]

Hey @qwikag, thank you for reaching out. The support for AWS SSO in Amplify CLI is currently being tracked as a feature request on #4488.
The issue appears to be similar to #4488 (comment), do let us know if the workaround provided in the comment mitigates the issue.

[qwikag]

Hey @qwikag, thank you for reaching out. The support for AWS SSO in Amplify CLI is currently being tracked as a feature request on #4488. The issue appears to be similar to #4488 (comment), do let us know if the workaround provided in the comment mitigates the issue.

Hey @ykethan
Sorry but this comment you refer to, alone contradicts the comment that it refers to, contradicts all other guides, and contradicts what is now working (albeit badly) on my machine.

so the problem is BAD DOCUMENTATION!

[qwikag]

To re-iterate this was my fix:
updating the local-aws-ingo.json: with the correct profile name from the auth screen worked.

However also deleting the profile from this file meant it did not go looking for the credentials file, so I removed 2 files from the situation... (maybe it is required on a 30day, once expired, basis???)

Reflecting on the "Documentation" (POOR AT BEST)
In a very roundabout way it refers to "Short-Term Credentials"
https://docs.amplify.aws/cli/reference/iam-roles-mfa/
this page contradicts that a little, although I was able to get it working without credentials, however it may fail when my refresh token expires (100% not sure), there is also no documentation about that either.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

but it also refers to the use of the Credentials file which I have now stopped using, how long will it be until that stops working???

I do not know what process is required but these files are what I was able to adjust and fix my issues (file and example text).
refering to link in your logged in screen (profile picker screen) using the "Command line or programmatic access" pop up.
1. EDIT .aws/config
[profile AdminAmplify_123456789001]
sso_session = my-sso
sso_account_id = 123456789001
sso_role_name = AdminAmplify
region = ap-southeast-2
output = json

[sso-session my-sso]
sso_start_url = https://mydomain.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access

2. Using the "Command line or programmatic access" pop up again copy and paste the environment variables
$Env:AWS_ACCESS_KEY_ID="ASI...............................WDO"
$Env:AWS_SECRET_ACCESS_KEY="hau1......................................................................U0xM1"
$Env:AWS_SESSION_TOKEN="IQoJb3J.......................................................................................................................UAWe8DJ"

3. there are 2 other environment variables (5 in total) I have set as persistent:
running in powershell to see them > ls ENV:
AWS_PROFILE AdminAmplify_123456789001
AWS_REGION ap-southeast-2

If you must you can also add to the .aws/credentials file details from the "Command line or programmatic access" pop up.
I just wish I knew why or when this was used.

I recognise persisting the env variables may mean it does enable multiple profiles.
There are seemingly apps out there that help manage (FIX) all of the above for you but I really do not like 3rd party apps that have access to my creds.

Any way the upshot of all of this is that Auth Documentation is a complete disaster and needs to be fixed, otherwise people will go elsewhere.

[qwikag]

PLEASE LEAVE THIS OPEN UNTIL DOUMENTATION IS FIXED!
FIXED means:
"when a new person comes along with no experience and they can setup without any issues."

[josefaidt]

Hey @qwikag 👋 ideally this auth flow is 1:1 with what is supported with the AWS CLI and reflected in the AWS documentation. Currently we have a bug that prevents the usage of AWS SSO as defined in the documentation and similar to the config you've provided. I've swapped a few labels here to improve the documentation once the SSO support is fixed, however in the meantime does the workaround noted here resolve the issue? #4488 (comment)

[qwikag]

Hey @qwikag... does the workaround noted here resolve the issue? #4488 (comment)

No it does not.

But also how it is meant to be used, has not been explained.

Also it refers to "amplify init" which is a one off command/ process used at the start of a project.

[qwikag]

By the way, why had this turned into a feature request?

This feature of being able to login is already in production.

This is a bug related to documention.

Please do not hide it in feature request processes.

[qwikag]

It is not just platform init

Yes that's where I encountered it first.
Then I fixed it and encountered it at amplify pull stage.
Then fixed it, then again during a later amplify push 2 weeks later or 30 days into my first project.

[qwikag]

@josefaidt, @Jay2113, Someone,
Hi guys,
I am going from error to error, and at breaking point!
This is the first time getting this particular error.

I have recently updated to the latest Amplify version and Next.js version.
And now I cannot use CLI.
Error: Missing region in config
I have changed nothing in my Auth config. can you please point me at a proper Auth guide:

I am using IAM (SSO) and on Windows with VSCode running all up to date versions in npm
I was working previously, but after upgrade "no worky".

Here is my abbreviated config:

[profile app1]
sso_session = mysso
sso_account_id = 7012345678965
sso_role_name = AdminAmplify
region = ap-southeast-2
output = json

[profile app2]
sso_session = mysso
sso_account_id = 021234567825
sso_role_name = AdminAmplify
region = ap-southeast-2
output = json

[sso-session mysso]
sso_start_url = https://mydomain.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:access

Environment Variables commands look like this:

$Env:AWS_ACCESS_KEY_ID="BSIAQL.......WFFJ"
$Env:AWS_SECRET_ACCESS_KEY="iKu+aWN...JaHk+KYf...q1IL"
$Env:AWS_SESSION_TOKEN="UQoJb3J.............U7TZV4hUJ"

And my amplify command that gives me the error is:

amplify push --profile app1