aws amplify cannot run npx ampx sandbox

[movingelectrons]

Environment information

jeromes@gamingrig:~/Projects/amplify-vite-react-template$ aws configure sso
SSO session name [jeromes]:
The only AWS account available to you is: 225476886059
Using the account ID 225476886059
The only role available to you is: amplify-policy
Using the role name "amplify-policy"
CLI default client Region [us-east-1]:
CLI default output format [None]:
CLI profile name [amplify-policy-225476886059]: default

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile default
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ npx ampx sandbox

ampx sandbox

Starts sandbox, watch mode for Amplify backend deployments

Commands:
  ampx sandbox delete            Deletes sandbox environment
  ampx sandbox secret <command>  Manage sandbox secrets

Logs streaming
  --stream-function-logs  Whether to stream function execution logs. Defa
                          ult: false. Use --logs-filter in addition to th
                          is flag to stream specific function logs
                                                                [boolean]
  --logs-filter           Regex pattern to filter logs from only matched
                          functions. E.g. to stream logs for a function,
                          specify it's name, and to stream logs from all
                          functions starting with auth specify 'auth' Def
                          ault: Stream all logs                   [array]
  --logs-out-file         File to append the streaming logs. The file is
                          created if it does not exist. Default: stdout
                                                                 [string]

Options:
  --debug            Print debug logs to the console
                                               [boolean] [default: false]
  --help             Show help                                  [boolean]
  --dir-to-watch     Directory to watch for file changes. All subdirector
                     ies and files will be included. Defaults to the ampl
                     ify directory.                              [string]
  --exclude          An array of paths or glob patterns to ignore. Paths
                     can be relative or absolute and can either be files
                     or directories                               [array]
  --identifier       An optional identifier to distinguish between differ
                     ent sandboxes. Default is the name of the system use
                     r executing the process                     [string]
  --outputs-format   amplify_outputs file format
           [string] [choices: "mjs", "json", "json-mobile", "ts", "dart"]
  --outputs-version  Version of the configuration. Version 0 represents c
                     lassic amplify-cli config file amplify-configuration
                      and 1 represents newer config file amplify_outputs
                          [string] [choices: "0", "1.1"] [default: "1.1"]
  --outputs-out-dir  A path to directory where amplify_outputs is written
                     . If not provided defaults to current process workin
                     g directory.                                [string]
  --profile          An AWS profile name.                        [string]
  --once             Execute a single sandbox deployment without watching
                      for future file changes                   [boolean]

SSMCredentialsError: UnrecognizedClientException: The security token included in the request is invalid.
Resolution: Make sure your AWS credentials are set up correctly and have permissions to call SSM:GetParameter
Cause: The security token included in the request is invalid.
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYPMukd/L/Gk9+6nqC6W8qjiVNZGg62LW7xNymiX97XG3ZcKvgric000TgFt2Xn9Bd8nC6cgj6Ju2DIHa4jktxXcyz+C2J1wgvdEPOSXk2L4VQiPDNLG0/eGXiHFOnI8OOYaBVFNaHOEoRwUtGMP6Xay6nt9pJ3NFNkWPUqSgMrlD9C5O8FsuNx3bQNnK/Ep1C2s1mA61kcYnMaRrdmQuNyQPCS/dJ7pl54EL4ZiIAP5qA/yF2c6QaZrmg8rs5lxKP57jgZk3rR2S1Rmeu+s+Lmxi8l5aPMPRihN6gX9yAIWFUBixMMAZiZuSEYp/iYAtyVtIjsFYAFYBvBZEYSFQ9mLIMlDPjW8kkG8aHlsLj/MGNLzJzb0GqVsHAhbMf4V2RktoC1f0+S0h4uBjuoidLk9ohV9RRTI11Y9Buw5drUdQ04D1ofDsr9rYZ+bF5Rb7HW6zpb/7p+FsUl/htzonaridONOQx8TuccCKd3c2tu9gZenwh5ouCBCYwn5r88mU= jeromes@gamingrig
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ cat ~/.aws/
cli/         config       credentials  sso/         
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ cat ~/.aws/
cli/         config       credentials  sso/         
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ cat ~/.aws/config 
[default]
region = us-east-1
sso_session = jeromes
sso_account_id = 225476886059
sso_role_name = amplify-policy
[sso-session amplify-admin]
sso_start_url = https://d-9067d3d0c0.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[sso-session jeromes]
sso_start_url = https://d-9067d3d0c0.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ nano ~/.aws/con
fig 
jeromes@gamingrig:~/Projects/amplify-vite-react-template$ npx ampx sandbox

ampx sandbox

Starts sandbox, watch mode for Amplify backend deployments

Commands:
  ampx sandbox delete            Deletes sandbox environment
  ampx sandbox secret <command>  Manage sandbox secrets

Logs streaming
  --stream-function-logs  Whether to stream function execution logs. Defa
                          ult: false. Use --logs-filter in addition to th
                          is flag to stream specific function logs
                                                                [boolean]
  --logs-filter           Regex pattern to filter logs from only matched
                          functions. E.g. to stream logs for a function,
                          specify it's name, and to stream logs from all
                          functions starting with auth specify 'auth' Def
                          ault: Stream all logs                   [array]
  --logs-out-file         File to append the streaming logs. The file is
                          created if it does not exist. Default: stdout
                                                                 [string]

Options:
  --debug            Print debug logs to the console
                                               [boolean] [default: false]
  --help             Show help                                  [boolean]
  --dir-to-watch     Directory to watch for file changes. All subdirector
                     ies and files will be included. Defaults to the ampl
                     ify directory.                              [string]
  --exclude          An array of paths or glob patterns to ignore. Paths
                     can be relative or absolute and can either be files
                     or directories                               [array]
  --identifier       An optional identifier to distinguish between differ
                     ent sandboxes. Default is the name of the system use
                     r executing the process                     [string]
  --outputs-format   amplify_outputs file format
           [string] [choices: "mjs", "json", "json-mobile", "ts", "dart"]
  --outputs-version  Version of the configuration. Version 0 represents c
                     lassic amplify-cli config file amplify-configuration
                      and 1 represents newer config file amplify_outputs
                          [string] [choices: "0", "1.1"] [default: "1.1"]
  --outputs-out-dir  A path to directory where amplify_outputs is written
                     . If not provided defaults to current process workin
                     g directory.                                [string]
  --profile          An AWS profile name.                        [string]
  --once             Execute a single sandbox deployment without watching
                      for future file changes                   [boolean]

SSMCredentialsError: UnrecognizedClientException: The security token included in the request is invalid.
Resolution: Make sure your AWS credentials are set up correctly and have permissions to call SSM:GetParameter
Cause: The security token included in the request is invalid.

Describe the bug

ive followed tutorial 5 times and always get this error what the heck is going on
?

Reproduction steps

https://docs.amplify.aws/react/start/account-setup/

[movingelectrons]

NEVERMIND CLOSE THIS ISSUE..... YOUR TUTORIAL IS EXTREEMLY CONFUSING HOWEVER

[ykethan]

Hey @movingelectrons, thank you for reaching out. Were you able to deploy the Amplify application?
Is there any particular information that was confusing in the quick start?

[jaypostle]

I'm getting the same error when running npx ampx sandbox --profile [my-selected-aws-profile] from the Full Stack tutorial.

How can I update the permissions to fix this?

[ykethan]

@jaypostle could you run aws sso login and rerun the sandbox command do you still observe the same error?

[ykethan]

@EmihleM2 could you open a new issue as the error appears to be related to a Lambda function defined in the project.

[jaypostle]

Found a solution. Had to create an IAM access key combo, add that to my aws credentials folder, and then use that profile in the step. The tutorial didn't include prep for that step or it assumed that you didn't already have a default set of credentials for another account set up.

[ykethan]

@jaypostle thank you for the information, created a issue on the docs repository to update the guide: aws-amplify/docs#7993

Closing the issue, do reach out if you are still experiencing this issue.

[Reklino]

Found a solution. Had to create an IAM access key combo, add that to my aws credentials folder, and then use that profile in the step. The tutorial didn't include prep for that step or it assumed that you didn't already have a default set of credentials for another account set up.

@jaypostle I'm struggling with this one.

Also coming from gen 1. First time booting up a gen 2.

Getting error:

SSMCredentialsError: AccessDeniedException: User: arn:aws:iam::962870860415:user/m1-reddit-mac is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:962870860415:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action

I'm fairly new to managing permissions and credentials in AWS. Any more details you could share?

[AndaHendriksen]

Found a solution. Had to create an IAM access key combo, add that to my aws credentials folder, and then use that profile in the step. The tutorial didn't include prep for that step or it assumed that you didn't already have a default set of credentials for another account set up.

I'm also stuck with this one. And running "aws sso login" as @ykethan suggested didn't work.

Error:
SSMCredentialsError: UnrecognizedClientException: The security token included in the request is invalid. Resolution: Make sure your AWS credentials are set up correctly and have permissions to call SSM:GetParameter Cause: The security token included in the request is invalid.

[Lilikh]

Cannot run npx ampx sandbox, I've checked everything but not works facing with this error ===> could not determine executable to run
I also did "aws sso login" and try to reinstall and install, I did every way, but not works

[ykethan]

hey @AndaHendriksen, if the sso login did not mitigate the issue, I would suggest checking the local create AWS profile present. If you already have a profile named default, i would suggest naming the new profile to a different name.

@Lilikh could not determine executable to run appears to be different issue from the posted issue here. But to mitigate the issue i would suggest removing the local package-lock.json and the node_modules folder then re-installing the dependencies