cognito-backup-restore icon indicating copy to clipboard operation
cognito-backup-restore copied to clipboard

Published 20 hours ago verified publisher icon rahulpsd18

Please support Cognito authentication using roles

Open cafl opened this issue 4 years ago • 5 comments

It seems you only accept a key/password IAM credential. Using a role is a best practice. In the aws config file this is specified as follows (example from aws cli documentation): [profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata

cafl avatar Jul 30 '19 23:07 cafl

This also does not work from a EC2 instance that has an instance profile assigned and therefore straight access to AWS. Why are you forcing the --profile or credential parameters?

This is the error I got:

$ cbr backup --region eu-west-2 --pool xxxxxx --dir /tmp/cognitobackup
fs.js:114
    throw err;
    ^

Error: ENOENT: no such file or directory, open '/home/ec2-user/.aws/credentials'
    at Object.openSync (fs.js:443:3)
    at Object.readFileSync (fs.js:343:35)
    at Object.readFileSync (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/usr/lib/node_modules/cognito-backup-restore/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.<anonymous> (/usr/lib/node_modules/cognito-backup-restore/build/cli/options.js:48:39)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)

ophintor avatar Aug 14 '19 12:08 ophintor

This is actually very easy to fix. Somebody already done that

https://github.com/jakubkrzykowski/cognito-backup-restore/commit/0340e779792b9ec21360ec9087b631df96bcfa0d

I have his commit in my own fork of this repo. What's missing before it's final is to make some type of parameter to switch to this behavior

vladistan avatar Oct 13 '19 03:10 vladistan

Can you please try using v1.3.1 and let me know if this is fixed?

rahulpsd18 avatar Jul 09 '20 15:07 rahulpsd18

I am trying v1.3.2 but it is still looking in .aws/credentials even when I give it a profile from .aws/config which has a role.

I am trying cbr backup --profile my-role --region us-east-2 --userpool all

But it comes back asking for my AWS profile and offering the 2 I have in .aws/credential

Am I doing something wrong ?

idharper avatar Aug 06 '20 13:08 idharper

I am trying v1.3.2 but it is still looking in .aws/credentials even when I give it a profile from .aws/config which has a role. I am trying cbr backup --profile my-role --region us-east-2 --userpool all But it comes back asking for my AWS profile and offering the 2 I have in .aws/credential Am I doing something wrong ?

I have this exact same issue with v1.3.2. I have an .aws/credentials file and an .aws/config file with the role. It keeps prompting me for the 2 entries I have in .aws/credential and ignores the profile name i passed in.

Any resolution on this?

rutabagaman avatar Oct 05 '20 23:10 rutabagaman