amazon-archives/awsmobile-cli

Cross-Account ( profile ) Support - Duplicate

Opened this issue · 6 comments

I'm still not able to init the project as per #113

I'm able to invoke AWS cli for mobile and see the projects listed in my other profile but I can't seem to init the backend.

$ aws mobile list-projects --profile MyCrossAccountAccessProfile
{
    "projects": [
        {
            "projectId": “<project_b_id>”, 
            "name": “PROJEC_NAME”
        }
    ]
}
 
$ awsmobile configure aws --profile MyCrossAccountAccessProfile

configure aws
Setting awsmobile-cli to use named profile: MyCrossAccountAccessProfile

Done

$ awsmobile init <project_b_id>

this project's backend is currently set to be <project_a>
with mobile project id = <project_a_id>
and was initialized at 2018-05-01-17-46-04
? switch backend to awsmobile project with id = project_b_id Yes
init will now try to switch to the newly specified backend

failed to link to backend awsmobile project with id = <project_b_id>
{ NotFoundException: No such project exists : <project_b_id>
   .
   .
  message: 'No such project exists : <project_b_id>',
  code: 'NotFoundException',
 }

I also tried

$ export AWS_PROFILE=MyCrossAccountAccessProfile

per the AWS CLI docs but no luck.

my ~/.aws/config

[default]
region = us-east-1
output = json

[profile MyCrossAccountAccessProfile]
role_arn = arn:aws:iam::*****************:role/MyCrossAccountAccessProfile
region = us-east-1
source_profile = default

and ~/.aws/credentials

[default]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey

[MyCrossAccountAccessProfile]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = mysecretaccesskey

One possible cause that I can think of is you haven't set the general configuration correctly.
Please cd to your workspace and follow these steps to find out:

  1. $ mkdir newEmptyDir
  2. $ cd newEmptyDir
  3. $ awsmobile configure aws --list

The awsmobile-cli will list the general configuration what will be used when the next init command is executed. Please check if it is the profile MyCrossAccountAccessProfile

It is using MyCrossAccountAccessProfile, not my default profile

awsmobile configure aws --list


IsUsingProfile: true
ProfileName: MyCrossAccountAccessProfile

{ accessKeyId: '*********************',
  secretAccessKey: '*************************',
  region: 'us-east-1' }

I did create the entry for the 'MyCrossAccountAccessProfile' profile manually; meaning I opened the credentials and config files and just added the values.

Thanks.
The awsmobile-cli currently does NOT support assuming roles.
When you execute aws mobile list-projects --profile MyCrossAccountAccessProfile, and your profile has role-arn and source-profile, the aws-cli will assume role and then use the assumed role to access the the aws.
But when you configure awsmobile-cli with a profile name, the awsmobile-cli only picks the keys and the region from the two files and then use them to access the aws.
Hence the difference.
Since you are using cross account access, I guess the keys you put there does not has access permission to the mobile-hub.
I will mark this as a feature request.

I'm not sure what you mean by the keys not having access. There is only one set of keys, AccountA's keys. I set it up according to https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

I was following you right up until then. Maybe I'm not using the correct terminology. Let me explain...

I have created an application, ApplicationA, in Mobile Hub using my AWS account, AccountA. This application is actually for a client but I started it under my AWS account ( AccountA ). Now I'm trying to 'migrate' the code to his account since I am consuming my AWS resources. My client has created a role (MyCrossAccountAccessProfile) in his AWS account, AccountB, and granted my AWS account ( AccountA ) access. When I log into AWS using my account ( AccountA) I am able to assume the MyCrossAccountAccessProfile role. When I am assuming that role I am able access the AWS Mobile Hub console of AccountB.

So you're saying it's a limitation of the awsmobile-cli ( hence the feature-request tag )?

Yes, it's a limitation of the awsmobile-cli, currently it does not support assuming roles for cross account aws access.

Understood. Thanks