aws-amplify
Getting NoCredentials Error while performing List, Upload and Other file actions on S3 bucket from Amplify V6 react application
Before opening, please confirm:
- [x] I have searched for duplicate or closed issues and discussions.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
React
Amplify APIs
Storage
Amplify Version
v6
Amplify Categories
auth, storage
Backend
Amplify CLI
Environment information
# Put output below this line
System:
OS: Windows 10 10.0.17763
CPU: (8) x64 Intel(R) Core(TM) i5-8365U CPU @ 1.60GHz
Memory: 7.79 GB / 15.74 GB
Binaries:
Node: 20.11.0 - C:\Program Files\nodejs\node.EXE
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
Browsers:
Internet Explorer: 11.0.17763.2989
npmPackages:
@aws-amplify/ui-react: ^6.1.6 => 6.1.6
@aws-amplify/ui-react-internal: undefined ()
@headlessui/react: ^1.7.18 => 1.7.18
@heroicons/react: ^2.1.1 => 2.1.1
@hookform/resolvers: ^3.3.4 => 3.3.4
@hookform/resolvers/ajv: 1.0.0
@hookform/resolvers/arktype: 1.0.0
@hookform/resolvers/class-validator: 1.0.0
@hookform/resolvers/computed-types: 1.0.0
@hookform/resolvers/io-ts: 1.0.0
@hookform/resolvers/joi: 1.0.0
@hookform/resolvers/nope: 1.0.0
@hookform/resolvers/superstruct: 1.0.0
@hookform/resolvers/typanion: 1.0.0
@hookform/resolvers/typebox: 1.0.0
@hookform/resolvers/valibot: 1.0.0
@hookform/resolvers/vest: 1.0.0
@hookform/resolvers/yup: 1.0.0
@hookform/resolvers/zod: 1.0.0
@reduxjs/toolkit: ^2.2.1 => 2.2.1
@reduxjs/toolkit-query: 1.0.0
@reduxjs/toolkit-query-react: 1.0.0
@reduxjs/toolkit-react: 1.0.0
@types/react: ^18.2.43 => 18.2.48
@types/react-dom: ^18.2.17 => 18.2.18
@vitejs/plugin-react: ^4.2.1 => 4.2.1
@zxing/browser: ^0.1.4 => 0.1.4
@zxing/library: ^0.20.0 => 0.20.0
autoprefixer: ^10.4.17 => 10.4.17
aws-amplify: ^6.0.20 => 6.0.20
aws-amplify/adapter-core: undefined ()
aws-amplify/analytics: undefined ()
aws-amplify/analytics/kinesis: undefined ()
aws-amplify/analytics/kinesis-firehose: undefined ()
aws-amplify/analytics/personalize: undefined ()
aws-amplify/analytics/pinpoint: undefined ()
aws-amplify/api: undefined ()
aws-amplify/api/server: undefined ()
aws-amplify/auth: undefined ()
aws-amplify/auth/cognito: undefined ()
aws-amplify/auth/cognito/server: undefined ()
aws-amplify/auth/enable-oauth-listener: undefined ()
aws-amplify/auth/server: undefined ()
aws-amplify/datastore: undefined ()
aws-amplify/in-app-messaging: undefined ()
aws-amplify/in-app-messaging/pinpoint: undefined ()
aws-amplify/push-notifications: undefined ()
aws-amplify/push-notifications/pinpoint: undefined ()
aws-amplify/storage: undefined ()
aws-amplify/storage/s3: undefined ()
aws-amplify/storage/s3/server: undefined ()
aws-amplify/storage/server: undefined ()
aws-amplify/utils: undefined ()
eslint: ^8.55.0 => 8.56.0
eslint-config-prettier: ^9.1.0 => 9.1.0
eslint-plugin-import: ^2.29.1 => 2.29.1
eslint-plugin-react: ^7.33.2 => 7.33.2
eslint-plugin-react-hooks: ^4.6.0 => 4.6.0
eslint-plugin-react-refresh: ^0.4.5 => 0.4.5
luxon: ^3.4.4 => 3.4.4
moment: ^2.30.1 => 2.30.1
postcss: ^8.4.33 => 8.4.33
prettier: ^3.2.5 => 3.2.5
react: ^18.2.0 => 18.2.0
react-barcode: ^1.4.6 => 1.4.6
react-datepicker: ^6.4.0 => 6.4.0
react-dom: ^18.2.0 => 18.2.0
react-dropzone: ^14.2.3 => 14.2.3
react-hook-form: ^7.50.1 => 7.50.1
react-qr-code: ^2.0.12 => 2.0.12
react-redux: ^9.1.0 => 9.1.0
react-router-dom: ^6.22.1 => 6.22.1
tailwindcss: ^3.4.1 => 3.4.1
vite: ^5.0.8 => 5.0.12
vite-plugin-pwa: ^0.17.5 => 0.17.5
yup: ^1.3.3 => 1.3.3
npmGlobalPackages:
@aws-amplify/cli: 12.10.1
corepack: 0.23.0
npm: 10.2.4
Describe the bug
I am trying to perform List, Upload file actions in my amplify react application. But I am getting below error while performing file upload and list files operations.
Error : NoCredentials: Credentials should not be empty.
Note- We are using federated usrs from Azure AD and have configured Azure AD ipd using SAML. All of the users will logging through this idp only. And we need to provide S3 file access to logged in users only.
I followed below steps to add and configure storage using Amplify CLI. Please refer below section
Expected behavior
- Files should get uploaded to S3 bucket by only authenticated users
- Should get list of files from S3 bucket for authenticated users
Reproduction steps
amplify add storage- Answered questions like below
- Please select from one of the below mentioned services: -
Content (Images, audio, video, etc.) - You need to add auth (Amazon Cognito) to your project in order to add storage for user files. Do you want to add auth now?-
Yes - Do you want to use the default authentication and security configuration?-
Default configuration - Do you want to configure advanced settings?-
No, I am done. - Please provide a friendly name for your resource that will be used to label this category in the project: -
testS3 - Please provide bucket name:
testS3bucket - Who should have access:
Auth users - What kind of access do you want for Authenticated users? -
create/update, read, delete - Do you want to add a Lambda Trigger for your S3 Bucket? -
No
-
Configured- Amplify.configure({ .... //added S3 config Storage: { S3: { bucket: "testS3bucket", region: "us-east-1", } } })
-
Refer File upload and List files code from below code snippets
Code Snippet
// Put your code below this line.
//Upload file code
import { uploadData } from 'aws-amplify/storage';
try {
const result = await uploadData({
key: filename,
data: file,
options: {
accessLevel: 'private'
}
}).result;
console.log('Succeeded: ', result);
} catch (error) {
console.log('Error : ', error);
//List files code
import { list } from 'aws-amplify/storage';
try {
const result = await list();
} catch (error) {
console.log(error);
}
Log output
Console Error while listing files
Error: NoCredentials: Credentials should not be empty.
at assertValidationError (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:462:11)
at resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:644:3)
at async list (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:1984:51)
at async listAllBuckets (http://localhost:5173/src/components/
Console error while upload
Error : NoCredentials: Credentials should not be empty.
at assertValidationError (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:462:11)
at resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:644:3)
at async http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:1450:64
at async http://localhost:5173/node_modules/.vite/deps/chunk-57IZAOBQ.js?v=1d4e4029:502:22
at async handleFileChange (http://localhost:5173/
aws-exports.js
No response
Manual configuration
Amplify.configure({
Auth: {
Cognito: {
userPoolClientId: 'xxxxxxxxxxxxxxxxxx',
userPoolId: 'xxxxxxxxxxxxx',
loginWith: {
oauth: {
domain: 'xxxxxxxx.amazoncognito.com',
scopes: ['openid email aws.cognito.signin.user.admin'],
redirectSignIn: ['http://localhost:5173'],
redirectSignOut: ['http://localhost:5173'],
responseType: 'code',
},
},
},
},
API: {
GraphQL: {
endpoint:
'https://xxxxxxxxxamazonaws.com/graphql',
region: 'xxxx',
defaultAuthMode: 'userPool',
},
},
Storage: {
S3: {
bucket: "testS3Bucket",
region: "xxxxx",
}
}
});
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
Amplify documentation really needs a revamp. A lot of things are either not documented or fail to work :(
@nadetastic Please assist us with this issue.
If it helps, I am mentioning below links of previously riased issues of same project by our team. https://github.com.mcas.ms/aws-amplify/amplify-cli/issues/13240 https://github.com.mcas.ms/aws-amplify/amplify-js/issues/13119
Hello, @saurabhunde 👋. It looks like you're missing the identityPoolId in your scoped Auth config. See an example of what the shape should look like here (click on existing resources block switcher). Can you add that in and see if you still get the error?
@sumitsahoo, that's valid feedback and we would love to hear how we can make it better! Feel free to open up a docs issue here or let me know via a reply back if there's something specific you're looking for. I think we could make the scoped examples for configs a little easier to find (rather than buried inside that last option of the block switcher).
@cwomack I have added identityPoolId in the scoped Auth config and now the error has changed.
Updated Auth config:
Amplify.configure({
Auth: {
mandatorySignIn: false,
Cognito: {
userPoolClientId: amplifyconfig.aws_user_pools_web_client_id,
userPoolId: amplifyconfig.aws_user_pools_id,
loginWith: {
oauth: {
domain: amplifyconfig.oauth.domain,
scopes: ['openid email aws.cognito.signin.user.admin'],
redirectSignIn: ['http://localhost:5173'],
redirectSignOut: ['http://localhost:5173'],
responseType: 'code',
},
},
identityPoolId: amplifyconfig.aws_cognito_identity_pool_id,
},
},
API: {
GraphQL: {
endpoint:
xyz.aws_appsync_graphqlEndpoint,
region: 'eu-west-1',
// Set the default auth mode to "userPool"
defaultAuthMode: 'userPool',
},
},
Storage: {
S3: {
bucket: "xyz-dev",
region: "eu-west-1",
},
}
});
Here is error message:
InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool.
at parseJsonError (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:2871:17)
at async getCredentialsForIdentityDeserializer (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:4387:19)
at async CognitoAWSCredentialsAndIdentityIdProvider.credsForOIDCTokens (http://localhost:5173/node_modules/.vite/deps/chunk-S5WU6PHE.js?v=ca1ab44f:4865:26)
at async AuthClass.fetchAuthSession (http://localhost:5173/node_modules/.vite/deps/chunk-IFRJ7B24.js?v=ca1ab44f:1010:34)
at async resolveS3ConfigAndInput (http://localhost:5173/node_modules/.vite/deps/chunk-K4YCOUCR.js?v=ca1ab44f:641:39)
at async list (http://localhost:5173/node_modules/.vite/deps/chunk-K4YCOUCR.js?v=ca1ab44f:1984:51)
at async listAllBuckets (http://localhost:5173/src/components/PAVManagement/PAVForm.jsx:68:22)
Hi @cwomack , Thank you for your reponse on my issue. Could you please provide an exmaple IAM role and its policies that we can add to Cognito Identity Pool which allows CRUD operations on S3 for authenticated Cognito users? As menioned by @sumitsahoo, we are facing above error even after adding identity pool id in Amplify configuration
I'm also getting similar. If I configure my Auth as follows, then basically every API I have starts complaining - these are all different Amplify projects that import the Auth cateory. There had been no changes prior to today and we were working on something unrelated to work round another bug.
Auth: {
Cognito: {
identityPoolId: <imported>
userPoolId: <imported>
userPoolClientId: <imported>
}
},
When I remove identityPoolId the site and it's APIs work ok, but it breaks the ability to upload/create presigned URLs.
When identityPoolId is configured as shown, I get:
message: "Invalid identity pool configuration. Check assigned IAM roles for this pool."
__type: "InvalidIdentityPoolConfigurationException"
When I remove identityPoolId I get the following messages when trying to upload files:
Profile.tsx:361 Error: NoIdentityId: Missing identity ID when accessing objects in protected or private access level.
at assertValidationError (http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:485:11)
at resolveS3ConfigAndInput (http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:660:3)
at async http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:1498:76
at async http://localhost:8000/node_modules/.vite/deps/@aws-amplify_storage.js?v=8c320a89:529:22
at async customRequestFileUploader (http://localhost:8000/routes/Profile.tsx?t=1721830282460:291:28)
My upload configuration is as follows:
const uploadedFile = await uploadData({
path: ({identityId}) => `protected/${identityId}/profile.${fileExtension}`,
data: file,
options: {
onProgress // Optional progress callback.
}
}).result;
Finally, when I call:
const { username, userId, signInDetails } = await getCurrentUser()
const authSession = await fetchAuthSession()
signInDetails are empty, as is the identityId in the response from fetchAuthSession()
I was having similar issues switching between public (apiKey) and Cognito user pool users. Would get errors like NoCredentials or NoValidAuthTokens when I would sign out and try to switch to apiKey or sign in and switch Amplify config to userPool. What worked was not messing around w re-configuring Amplify and just switching auth modes when calling generateClient() for API calls.
import amplifyconfig from '../amplifyconfiguration.json'
import { generateClient } from 'aws-amplify/api'
...
Amplify.configure(amplifyconfig,{})
...
getClient() {
return generateClient({ authMode: store.getState().appStateInRedux.signedIn ? 'userPool' : 'apiKey' })
}
...
//if userSub, then we have a userPool user, call s3 api
fetchAuthSession().then((session) => {
userSession = session
if (userSession.userSub) {
uploadFilePath = 'protected/' + userSession.identityId + '/' + fileName
}
const uploadedFile = await uploadData({
path: uploadFilePath,
data: file,
}).result
}
...
//other places where I call the AppSync API
getClient().graphql(...)
I could not find this documented anywhere, the authMode param in generateClient, however it is there if you check the types for CommonPublicClientOptions. Hopefully this helps someone. This is a react native project and aws pkg details below:
"aws-amplify": "6.3.6"
I'm also running into this, aws-amplify 6.6.0. Auth and storage configured manually. I hadn't had an identity pool configured, but finally figured out that that was why the auth session had no identityId, leading to storage breakage. As soon as I added an identity pool, got "Invalid identity pool configuration. Check assigned IAM roles for this pool.".
@sumitsahoo How are you creating your identityPool? Are you doing it manually or via CLI? If manually, it appears to me that there might be a misconfiguration issue between IAM and the identityPool.
@sumitsahoo How are you creating your identityPool? Are you doing it manually or via CLI? If manually, it appears to me that there might be a misconfiguration issue between IAM and the identityPool.
We created it manually and then imported it from Amplify console.
@saurabhunde and others following this issue, I'll work on reproducing this locally and following up with any additional questions. With the amount of people experiencing this, it sounds like there's either a bug or (at minimum) a gap in our documentation.
Hi @sumitsahoo following up here, apologies for the delay. If you are creating the Identity pool manually, then there may be some missing configuration that is expected by Amplify. For one, Amplify relies on two roles that are attached to the identity pool - an authorized role, which gives IAM permissions to your logged in users, and and unauthorized role which specifies permissions for your guest (not logged in) users.
Could you validate that each of these exist and are enabled on the identity pool? From the error message you shared Invalid identity pool configuration. Check assigned IAM roles for this pool it appears that this may be part of if not the problem. Note that if you do not want to provide any permissions to guest users, you can simply omit any policies to the guest role
For reference, this is how the identity pool user access should be defined. Note that the User pool is also included as the identity provider.
Hi @sumitsahoo / @saurabhunde - I'll go ahead and close out this issue due to inactivity. If you still have any questions, please review the above comment and let me know if you have difficulty after. Thanks!