Open rittneje opened 2 years ago
Please run the command again with -v
(cdk deploy -v
) and paste the output.
The contents of ~/.aws/credentials
and ~/.aws/config
would also help.
cdk deploy -v
$AWS_CONFIG_FILE
[profile base]
credential_process = credential_process.sh
[default]
source_profile = base
role_arn = arn:aws:iam::REDACTED:role/REDACTED
role_session_name = REDACTED
The $AWS_SHARED_CREDENTIALS_FILE
file does not exist.
Based on that, there are two mysterious things.
credential_process
under default
instead of base
./usr/local/lib/node_modules/aws-sdk
folder so I don't know what those logs are referring to.Unfortunately this is a bug we'll have to fix in AWS SDK JS v2.
@rix0rrr Any update on this? Was a bug filed against the JS SDK?
ping @rix0rrr
@rix0rrr
@rix0rrr @TheRealAmazonKendra When will this bug be fixed?
@rix0rrr in my case it happens when aws-sdk-v2
tries to use sso re-auth in the middle of some aws process.
Essentially botching the cache in ~/.aws/sso/cache/
Deleting the cache fixes the problem.
I think I have the same issue, setup without SSO.
$ cdk --version
2.92.0 (build bf62e55)
$ yarn info aws-sdk version
2.1437.0
No ~/.aws/credentials file; ~/.aws/config:
[profile AAAA]
credential_process=/opt/homebrew/bin/aws-vault exec --duration=15m --prompt=terminal -j AAAA
mfa_serial=arn:aws:iam::11..111:mfa/REDACTED
region=eu-west-2
[profile BBBB]
region=eu-west-2
role_arn=arn:aws:iam::22..222:role/REDACTED
source_profile=AAAA
cdk --profile BBBB bootstrap aws://22..222/eu-west-2 --debug
...
⏳ Bootstrapping environment aws://22..222/eu-west-2...
❌ Environment aws://22..222/eu-west-2 failed bootstrapping: Error: Need to perform AWS calls for account 22..222, but no credentials have been configured
...
CDK is not picking up the right profile, not asking for mfa. All good with aws cli.
Can confirm this issue still exists. I'm trying to avoid having credentials in clear-text and I'm using credential_process
to achieve this together with 1password. It works with aws-cli, but not CDK.
Sample credentials-file with both hardcoded credentials and credential_process
for testing:
[base]
region = eu-central-1
;aws_access_key_id = [redacted]
;aws_secret_access_key=[redacted]
credential_process = [redacted]
[subaccount]
region=eu-central-1
role_arn=arn:aws:iam::123456789123:role/OrganizationAccountAccessRole
source_profile=base
Note: Hardcoded credentials are not in use in above due to ;
, but it makes it easy to switch between the two approaches during testing. Also note that the credential_process
returns the exact same secret id and secret key as entered in the hardcoded section. In my use case i use 1password to store the credentials and the command in credential_process
retrieves the credentials from the 1password vault. No config
-file is used in this setup.
Testing of CLI with:
aws s3 ls --profile=subaccount
...yields the exact same result with either hardcoded credentials or with credential_process enabled. The result is a correct list of available buckets on the account. This is as expected.
Testing of CDK with:
npx cdk diff -v --profile=subaccount
...works as expected with hardcoded credentials. It returns a proper diff for the stack and is as expected. But with credential_process
enabled it gives the following error:
Could not assume arn:aws:iam::123456789123:role/cdk-xxxxxxxxxx-lookup-role-123456789123-eu-central-1, proceeding anyway.
[10:38:33] Reading cached notices from C:\Users\name\.cdk\cache\notices.json
Need to perform AWS calls for account 123456789123, but no credentials have been configured
[10:38:33] Error: Need to perform AWS calls for account 123456789123, but no credentials have been configured
at SdkProvider.forEnvironment (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:407:659633)
at async Deployments.cachedSdkForEnvironment (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:449:12570)
at async Deployments.prepareSdkFor (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:449:8085)
at async Deployments.readCurrentTemplateWithNestedStacks (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:449:4307)
at async CdkToolkit.diff (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:449:194385)
at async exec4 (C:\Users\name\Documents\GitHub\someproject\node_modules\aws-cdk\lib\index.js:504:54331)
... it should return the exact same result in both scenarios...
A fix of the bug is preferred, but if this isn't happening then if anyone has a workaround I'll be happy to hear it(and likely others hitting the same issue in the future)...
System info used for the above tests: OS: Windows 11, (v10.0.22631) CDK_CLI: 2.152.0 (build faa7d79) AWS_CLI: 2.17.17 NodeJS: 20.16.0 / NPM: 10.8.1
Since this functionality is provided by the underlying SDK that we use, we are bound by it.
We have plans to migrate CDK to AWS SDK v3. After that, we will re-evalutate this issue.
Describe the bug
We configured our profile like so:
The AWS CLI works perfectly fine with this setup. However, CDK throws a nonsense exception.
Expected Behavior
It should work without issue.
Current Behavior
See above.
Reproduction Steps
See above.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.28.0 (build ba233f0)
Framework Version
No response
Node.js Version
v16.15.1
OS
Alpine 3.16
Language
Python
Language Version
3.10.5
Other information
No response