amplify push fails with ServiceCallFault → getAppClientSecret → AggregateError [ETIMEDOUT] and leaves API (squad) stuck in Update

[SquadCodeCenter]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.19.4

Amplify CLI Version

14.1.2, 14.2.2

What operating system are you using?

macOS Tahoe 26.1

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

When I run amplify push in env sandbox, the command fails at the very end with a ServiceCallFault in the auth category, and Amplify leaves my API resource (squad) stuck in Update:

amplify status

Current Environment: sandbox

Category Resource name Operation Provider plugin
Api squad Update awscloudformation
Auth squadcce5b2fc No Change awscloudformation
Storage s351dcc477 No Change awscloudformation

From running the amplify push --debug, we notably have the following(the rest of the bug report is attached on the amplify debug file):
ServiceCallFault
at getAppClientSecret (.../get-app-client-secret-sdk.js:19:15)
at updateAppClientWithGeneratedSecret (.../generate-cognito-app-client-secret.js:18:41)
at Object.run (.../amplify-provider-awscloudformation/lib/push-resources.js:274:5)
...
AggregateError [ETIMEDOUT]
Session Identifier: 6c01ab5a-8e14-4f4c-9bcf-da093385c72b

The Amplify env sandbox is configured to use the sandbox AWS profile in amplify/.config/local-aws-info.json.

Auth config (squadcce5b2fc) in amplify/backend/auth/squadcce5b2fc/cli-inputs.json explicitly has:

"userpoolClientGenerateSecret": false

The build parameters and current-cloud-backend parameters for auth also have:

"userpoolClientGenerateSecret": false

so CloudFormation should not be generating a client secret.

amplify/backend/amplify-meta.json for auth points at:

"UserPoolId": [redacted]

Using the same profile (--profile sandbox) and that user pool ID via AWS CLI:

aws cognito-idp list-user-pool-clients
--user-pool-id [redacted]
--region us-west-1
--profile sandbox

returns two clients:

squadcce5b2fc_app_client → ClientId [redacted]

squadcce5b2fc_app_clientWeb → ClientId 1[redacted]

Describing both clients works fine:

aws cognito-idp describe-user-pool-client
--user-pool-id[redacted]
--client-id [redacted]
--region us-west-1
--profile sandbox

and similarly for [redacted]
Both return immediately with valid JSON, no timeout, and there is no ClientSecret field on these clients. They are public clients without secrets.

General connectivity (with --profile sandbox) is fine:

aws cognito-idp list-user-pools in us-west-1 works.

aws sts get-caller-identity works.

So from the AWS side:

Cognito is reachable.

The user pool/app clients are correctly configured and healthy.

No secrets exist, and my Amplify config is set to not generate a secret.

What happens on amplify push and what I need help with

On amplify push --debug:

Backend env sandbox is pulled.

GraphQL schema for API squad compiles successfully.

CloudFormation deploys API/Auth/Storage and reaches UPDATE_COMPLETE in the console.

During the post-deploy phase, the Amplify CLI still runs generate-cognito-app-client-secret → getAppClientSecret in the auth category, and that call times out with AggregateError [ETIMEDOUT] (Session Identifier above).

Because of this, the overall push fails, and amplify status continues to show Api squad Update even though the underlying stacks are updated.

Given:

userpoolClientGenerateSecret is false in all relevant Amplify config/parameter files (local and #current-cloud-backend).

The Cognito clients for this pool are public and have no secrets.

The equivalent Cognito operations via AWS CLI succeed with the same profile.

The error stack in amplify push clearly comes from the auth plugin’s getAppClientSecret logic, but the visible stuck resource in amplify status is the API (squad).

I suspect this is either:

A bug in the Amplify CLI (v14.2.2) where getAppClientSecret is still being invoked for this project/env even though secrets are disabled, or

A problem in the Node HTTP layer used by the CLI for this specific call, even though the same operations work from aws CLI.

What I’m requesting:

Confirmation whether this is a known issue with amplify push and getAppClientSecret in CLI 14.2.2.

Help and guidance on recommended CLI version to upgrade/downgrade to, or specific configuration/migration step to stop Amplify from trying to run generate-cognito-app-client-secret for this environment so that amplify push can complete and the API resource (squad) can move from Update to No Change but most importantly urgnet help fixing this bug for once and for all so that I keep on building.

amplify diagnose file: report-1763637123121.zip

amplify diagnose cli output: amplify-diagnose.json

Expected behavior

If no client secret is configured (userpoolClientGenerateSecret=false and no ClientSecret in Cognito), Amplify should not attempt to call getAppClientSecret at all during amplify push. In that case:

The push should complete successfully if CloudFormation succeeds.

amplify status should show Api squad No Change after a successful deployment.

I should be able to iteratively change schema.graphql and push those changes without having to fight the tool.

If there is a genuine problem talking to Cognito during a post-deploy step:

Either the CLI should fail before applying CloudFormation, or

At minimum, it should not leave the project in a state where:

the API is marked as Update forever, and

the only way to clear that state (via amplify pull --restore) is to overwrite local changes I just made.

In short, the expectation is:

amplify push either:

succeeds cleanly, after which amplify status shows everything as No Change, and my local schema.graphql is in sync with the cloud, or

fails early and clearly before any partial deployment, so I don’t end up with a mismatch where the cloud and local state disagree and my API is permanently stuck in Update.

Right now, because of the getAppClientSecret timeout and the way the CLI reacts to it, any meaningful API evolution (schema changes) in this sandbox env is risky: I can’t rely on amplify push to complete, and using amplify pull to recover destroys the changes I was trying to push. This is the core blocking impact of the bug on my development workflow.

Reproduction steps

Preconditions

You have access to my Amplify app:

AppId: [redacted]

Env: sandbox

Region: us-west-1

The Amplify CLI version is 14.2.2.

The sandbox AWS profile is configured to the same account as the Amplify app.

Steps to reproduce

Clone and install the project

git clone
cd Squad
npm install # or yarn install

Configure AWS profile used by Amplify

Make sure the AWS CLI has a profile named sandbox that points to the same account as the Amplify app:

aws sts get-caller-identity --profile sandbox

(This should return the same account ID that owns Amplify AppId d2c62qd4f8bhum.)

Pull the backend for env sandbox

From the project root:

amplify pull
--appId d2c62qd4f8bhum
--envName sandbox

Confirm when prompted that this is an existing environment. After this, amplify status should show:

Api squad Update (or No Change, depending on last state)
Auth [redacted] No Change
Storage [redacted] No Change

(Optional but typical) Make a small API schema change

Edit amplify/backend/api/squad/schema.graphql and add a trivial, valid change, e.g. a new field on an existing type, so that:

amplify status

shows:

Api squad Update

Run amplify push with debug logging

amplify push --debug

Observe behavior

During the push, you should see:

The GraphQL schema compile successfully.

Backend env sandbox pull successfully.

CloudFormation deployments for API/Auth/Storage complete.

Then, at the post-deploy phase, the command fails with:

ServiceCallFault
at getAppClientSecret (.../get-app-client-secret-sdk.js:19:15)
at updateAppClientWithGeneratedSecret (.../generate-cognito-app-client-secret.js:18:41)
...
AggregateError [ETIMEDOUT]
Session Identifier: 6c01ab5a-8e14-4f4c-9bcf-da093385c72b

Check Amplify status after the failure

amplify status

Output:

Category Resource name Operation
Api squad Update
Auth squadcce5b2fc No Change
Storage s351dcc477 No Change

So even though CloudFormation has applied updates, the API remains stuck in Update in Amplify, and any attempt to “fix” this with amplify pull will overwrite the local API changes that were just attempted.

Project Identifier

Project Identifier: 4b51b5cd8f19849ec201155f725ae5c2

Log output

# Put your logs below this line

(base) sheldonotieno@MacBookPro Squad % amplify push --debug
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.WebSocketApiKeySelectionExpression is deprecated.
  
  This API will be removed in the next major release.
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.WebSocketApiKeySelectionExpression is deprecated.
  
  This API will be removed in the next major release.
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.MappingValue is deprecated.
  
  This API will be removed in the next major release.
Not pulling components because this project is not configured with the "react" framework.
⠸ Fetching updates to backend environment: sandbox from the clou
⠦ Fetching updates to backend environment: sandbox from the cloud.✅ GraphQL schema compiled successfully.

Edit your schema at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema.graphql or place .graphql files in a directory at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/ampli
✔ Successfully pulled backend environment sandbox from the cloud.
⠇ Building resource api/squad✅ GraphQL schema compiled successfully.

Edit your schema at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema.graphql or place .graphql files in a directory at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema

    Current Environment: sandbox
    
┌──────────┬───────────────┬───────────┬───────────────────┐
│ Category │ Resource name │ Operation │ Provider plugin   │
├──────────┼───────────────┼───────────┼───────────────────┤
│ Api      │ squad         │ Update    │ awscloudformation │
├──────────┼───────────────┼───────────┼───────────────────┤
│ Auth     │ squadcce5b2fc │ No Change │ awscloudformation │
├──────────┼───────────────┼───────────┼───────────────────┤
│ Storage  │ s351dcc477    │ No Change │ awscloudformation │
└──────────┴───────────────┴───────────┴───────────────────┘
✔ Are you sure you want to continue? (Y/n) · yes
✅ GraphQL schema compiled successfully.

Edit your schema at /Users/[redacted]/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema.graphql or place .graphql files in a directory at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema
⠧ Building resource api/squad✅ GraphQL schema compiled successfully.

Edit your schema at /Users/[redacted]/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema.graphql or place .graphql files in a directory at /Users/sheldonotieno/SquadMApps/squad_backend/sandbox/squad-backend-sandbox/vendor/frontend-sandbox/Squad/amplify/backend/api/squad/schema
⠇ Uploading files.@smithy/node-http-handler:WARN - socket usage at capacity=50 and 2931 additional requests are enqueued.
See https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/node-configuring-maxsockets.html
or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler config.

.....
       stack     UPDATE_COMPLETE     
        SquadAddRequestAcceptActivity  AWS::CloudFormation::Stack     UPDATE_COMPLETE     
        ConnectionStack                AWS::CloudFormation::Stack     UPDATE_COMPLETE     
        CustomResourcesjson            AWS::CloudFormation::Stack     UPDATE_COMPLETE     

✔ Generated GraphQL operations successfully and saved at src/graphql
✔ Code generated successfully and saved in file src/API.ts
🛑 

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

ServiceCallFault
    at getAppClientSecret (/snapshot/amplify-cli/build/node_modules/@aws-amplify/amplify-category-auth/lib/provider-utils/awscloudformation/utils/get-app-client-secret-sdk.js:19:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async updateAppClientWithGeneratedSecret (/snapshot/amplify-cli/build/node_modules/@aws-amplify/amplify-category-auth/lib/provider-utils/awscloudformation/utils/generate-cognito-app-client-secret.js:18:41)
    at async Object.run (/snapshot/amplify-cli/build/node_modules/@aws-amplify/amplify-provider-awscloudformation/lib/push-resources.js:274:5)
    at async /snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/extensions/amplify-helpers/push-resources.js:137:16
    at async Promise.all (index 0)
    at async providersPush (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/extensions/amplify-helpers/push-resources.js:133:5)
    at async AmplifyToolkit.pushResources (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/extensions/amplify-helpers/push-resources.js:107:13)
    at async Object.executeAmplifyCommand (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/index.js:194:9)
    at async executePluginModuleCommand (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:139:5)
    at async executeCommand (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/execution-manager.js:37:9)
    at async Object.run (/snapshot/amplify-cli/build/node_modules/@aws-amplify/cli-internal/lib/index.js:121:5)


AggregateError [ETIMEDOUT]: 
    at internalConnectMultiple (node:net:1128:18)
    at internalConnectMultiple (node:net:1196:5)
    at Timeout.internalConnectMultipleTimeout (node:net:1720:5)
    at listOnTimeout (node:internal/timers:596:11)
    at process.processTimers (node:internal/timers:529:7)

Session Identifier: 27383eec-2cfd-4543-9417-67f550d0d046

✅ Report saved: /var/folders/4m/4mp36zwx0ks_dlksjhw7pmx00000gn/T/Squad/report-1763642029909.zip

✔ Done

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[pahud]

Hi @SquadCodeCenter,

Thank you for the detailed bug report. Based on the analysis, this appears to be an issue where the Amplify CLI is attempting to retrieve the app client secret even when userpoolClientGenerateSecret is set to false.

The root cause seems to be in the updateAppClientWithGeneratedSecret function, which doesn't check whether secret generation is enabled before calling getAppClientSecret. The timeout you're experiencing is likely related to the socket capacity warning in your logs (socket usage at capacity=50 and 2931 additional requests are enqueued), which suggests the HTTP connection pool is exhausted.

Immediate workarounds:

1. Set the environment variable before running amplify push:

export AWS_NODEJS_CONNECTION_REUSE_ENABLED=1
amplify push

2. Increase the socket limit by setting AWS_MAX_SOCKETS (though this addresses the symptom, not the root cause):
   ```bash
  export AWS_MAX_SOCKETS=200
  amplify push

Possible fix:

The CLI should check the userpoolClientGenerateSecret
parameter before attempting to retrieve the client secret. This would prevent unnecessary API calls and avoid the timeout issue entirely.

Please let us know if the workarounds help resolve your immediate issue, and we'll work on getting a proper fix into the CLI.