Amplify init fails to resolve credential from profile in $AWS_CONFIG_FILE despite $AWS_SDK_LOAD_CONFIG=1

[lestephane]

Before opening, please confirm:

• I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• I have searched for duplicate or closed issues.
  • previous issue, since closed, where people are invited to open new ones: Amplify init fails to resolve credential from profile using source_profile and credential_process #6882
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm install -g @aws-amplify/cli@latest

If applicable, what version of Node.js are you using?

v12.22.12

Amplify CLI Version

10.4.0

What operating system are you using?

Ubuntu 20.04.2 LTS

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Not applicable

Amplify Categories

Not applicable

Amplify Commands

init

Describe the bug

• I do not use ~/.aws/config in the standard location (I override it with AWS_CONFIG_FILE)
• I do not use ~/.aws/credentials at all (aws-vault does not require one)

Using aws-vault through credential_process in my non-standard located config file without a credentials file has been working for me in awscli v2 (and Intellij) for some time. So I expected it to be supported in Amplify CLI as well, especially since I export AWS_SDK_LOAD_CONFIG=1 (see reproduction). But it doesn't.

Expected behavior

I can't describe what to expect, since I never got past amplify init, it is the first time I use it, and I never ran it before.
First contact, so to speak:

I can tell you what I did not expect

Using default provider  awscloudformation
? Select the authentication method you want to use: AWS profile
AWS access credentials can not be found.  <<<< UNEXPECTED
? Setup new user (Y/n)                                 <<<< UNEXPECTED

Reproduction steps

1 .envrc

export AWS_REGION=eu-central-1
export AWS_DEFAULT_REGION=${AWS_REGION}
export AWS_CONFIG_FILE="/tmp/.aws/config.awsvault"
export AWS_VAULT_PROMPT=zenity
export AWS_PROFILE=awsvault-scrubbed-sandbox-admin
export AWS_SDK_LOAD_CONFIG=1
use asdf
layout node

2. /tmp/config.awsvault

[profile scrubbed-primary]
region=eu-central-1

[profile scrubbed-primary-admin]
source_profile=scrubbed-primary
role_arn=arn:aws:iam::PRIMARYACCOUNTID:role/scrubbed-primary-admin-role
mfa_serial=arn:aws:iam::PRIMARYACCOUNTID:mfa/scrubbed.primary.apiuser

[profile scrubbed-sandbox-admin]
source_profile = scrubbed-primary-admin
role_arn = arn:aws:iam::SANDBOXACCOUNTID:role/OrganizationAccountAccessRole

[profile awsvault-scrubbed-sandbox-admin]
credential_process = aws-vault exec -j  scrubbed-sandbox-admin

I'm using a jump account where an admin-role is assumed with an api user's credentials as long as an MFA token is provided.
From there, OrganizationAccountAccessRole in a target test account is assumed. This multihop is all taken care of by aws-vault.

3 direnv allow; amplify init use all the default answers, except for the default editor where I chose Intellij (this is irrelevant to the issue)

GraphQL schema(s)

# Put schemas below this line

Project Identifier

No response

Log output

$ strace -o strace.txt -f amplify init
$ tail -f strace.txt | grep -E '/\.aws'

Up to Select the authentication method you want to use:

tail: strace.txt: file truncated
79159 access("/home/scrubbed/.aws/credentials", F_OK) = -1 ENOENT (No such file or directory)
79159 access("/home/scrubbed/.aws/config", F_OK) = -1 ENOENT (No such file or directory)
79159 openat(AT_FDCWD, "/home/scrubbed/.aws/credentials", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
79159 openat(AT_FDCWD, "/home/scrubbed/.aws/credentials", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
79159 access("/home/scrubbed/.aws/credentials", F_OK) = -1 ENOENT (No such file or directory)

Up to AWS access credentials can not be found.

79159 access("/home/scrubbed/.aws/config", F_OK) = -1 ENOENT (No such file or directory)
79159 access("/home/scrubbed/.aws/config", F_OK) = -1 ENOENT (No such file or directory)

Additional information

My assessment is that AWS_CONFIG_FILE is not supported, even when AWS_SDK_LOAD_CONFIG=1.
Further, because amplify does not have a --debug flag, it is difficult to figure out what the tool is doing without resorting to strace.

[ykethan]

Hey @lestephane, thank you for reaching out. Usage of AWS_CONFIG_FILE or AWS to use a non standard location is currently not supported. Marking this as a feature request to align with AWS CLI(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)