Cross-Account ( profile ) Support - Duplicate
Opened this issue · 6 comments
I'm still not able to init the project as per #113
I'm able to invoke AWS cli for mobile and see the projects listed in my other profile but I can't seem to init the backend.
$ aws mobile list-projects --profile MyCrossAccountAccessProfile
{
"projects": [
{
"projectId": “<project_b_id>”,
"name": “PROJEC_NAME”
}
]
}
$ awsmobile configure aws --profile MyCrossAccountAccessProfile
configure aws
Setting awsmobile-cli to use named profile: MyCrossAccountAccessProfile
Done
$ awsmobile init <project_b_id>
this project's backend is currently set to be <project_a>
with mobile project id = <project_a_id>
and was initialized at 2018-05-01-17-46-04
? switch backend to awsmobile project with id = project_b_id Yes
init will now try to switch to the newly specified backend
failed to link to backend awsmobile project with id = <project_b_id>
{ NotFoundException: No such project exists : <project_b_id>
.
.
message: 'No such project exists : <project_b_id>',
code: 'NotFoundException',
}
I also tried
$ export AWS_PROFILE=MyCrossAccountAccessProfile
per the AWS CLI docs but no luck.
my ~/.aws/config
[default]
region = us-east-1
output = json
[profile MyCrossAccountAccessProfile]
role_arn = arn:aws:iam::*****************:role/MyCrossAccountAccessProfile
region = us-east-1
source_profile = default
and ~/.aws/credentials
[default]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey
[MyCrossAccountAccessProfile]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey
One possible cause that I can think of is you haven't set the general configuration correctly.
Please cd to your workspace and follow these steps to find out:
- $ mkdir newEmptyDir
- $ cd newEmptyDir
- $ awsmobile configure aws --list
The awsmobile-cli will list the general configuration what will be used when the next init
command is executed. Please check if it is the profile MyCrossAccountAccessProfile
It is using MyCrossAccountAccessProfile, not my default profile
awsmobile configure aws --list
IsUsingProfile: true
ProfileName: MyCrossAccountAccessProfile
{ accessKeyId: '*********************',
secretAccessKey: '*************************',
region: 'us-east-1' }
I did create the entry for the 'MyCrossAccountAccessProfile' profile manually; meaning I opened the credentials and config files and just added the values.
Thanks.
The awsmobile-cli currently does NOT support assuming roles.
When you execute aws mobile list-projects --profile MyCrossAccountAccessProfile
, and your profile has role-arn
and source-profile
, the aws-cli will assume role and then use the assumed role to access the the aws.
But when you configure awsmobile-cli with a profile name, the awsmobile-cli only picks the keys and the region from the two files and then use them to access the aws.
Hence the difference.
Since you are using cross account access, I guess the keys you put there does not has access permission to the mobile-hub.
I will mark this as a feature request.
I'm not sure what you mean by the keys not having access. There is only one set of keys, AccountA's keys. I set it up according to https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
I was following you right up until then. Maybe I'm not using the correct terminology. Let me explain...
I have created an application, ApplicationA, in Mobile Hub using my AWS account, AccountA. This application is actually for a client but I started it under my AWS account ( AccountA ). Now I'm trying to 'migrate' the code to his account since I am consuming my AWS resources. My client has created a role (MyCrossAccountAccessProfile) in his AWS account, AccountB, and granted my AWS account ( AccountA ) access. When I log into AWS using my account ( AccountA) I am able to assume the MyCrossAccountAccessProfile role. When I am assuming that role I am able access the AWS Mobile Hub console of AccountB.
So you're saying it's a limitation of the awsmobile-cli ( hence the feature-request tag )?
Yes, it's a limitation of the awsmobile-cli, currently it does not support assuming roles for cross account aws access.
Understood. Thanks