Open exussum12 opened 1 year ago
What error message are you receiving?
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
@peterwoodworth As its running on bitbucket, they appear to use EC2. The error message is around not being able to get permissions for the account (expected as the EC2 would be theirs not ours). Changing the env variables to match https://github.com/aws/aws-cdk/blob/2462b0b0155a5cf5382b1780e8a8cd40d1206a95/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L170
Works. but this should be picked up before that point (specifically here https://github.com/aws/aws-cdk/blob/2462b0b0155a5cf5382b1780e8a8cd40d1206a95/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L52)
The specific error message would be helpful in knowing how / if I'm reproducing the same behavior
❌ Deployment failed: Error: Need to perform AWS calls for account xxxxxx, but no credentials have been configured
at SdkProvider.forEnvironment (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:325:46159)
at async Deployments.cachedSdkForEnvironment (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:12792)
at async Deployments.prepareSdkFor (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:7866)
at async Deployments.isSingleAssetPublished (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:11963)
at async /opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:139187
Need to perform AWS calls for account xxxxxx, but no credentials have been configured
With verbose
[00:28:07] Determining if we're on an EC2 instance.
[00:28:07] Looks like an EC2 instance.
[00:28:07] Toolkit stack: CDKToolkit
[00:28:07] Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
[00:28:07] Resolving default credentials
[00:28:07] Notices refreshed
[00:28:07] Failed to store notices in the cache: Error: ENOENT: no such file or directory, open '/root/.cdk/cache/notices.json'
[00:28:15] Unable to determine the default AWS account (TimeoutError): EC2 Metadata roleName request returned error
Both of those example above aws sts get-caller-identity
returns as expected
The v3 looks like it supports it
That's the same page I linked 🙂
I spent several days fighting with the same issue 🤦♂️ .
First of the all AWS_ROLE_ARN should be defined. But that's not all! AWS_REGION
, it is the lack of AWS_REGION
that was the main issue for me.
That's a working snippet:
image: node:16.3.0
pipelines:
branches:
main:
- step:
name: Deployment
oidc: true
script:
- export AWS_REGION=...
- export AWS_ROLE_ARN=....
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
- aws sts get-caller-identity
- npx run cdk deploy
You don't even need chmod
and aws configure
lines.
I spent several days fighting with the same issue 🤦♂️ .
First of the all AWS_ROLE_ARN should be defined. But that's not all!
AWS_REGION
, it is the lack ofAWS_REGION
that was the main issue for me.That's a working snippet:
image: node:16.3.0 pipelines: branches: main: - step: name: Deployment oidc: true script: - export AWS_REGION=... - export AWS_ROLE_ARN=.... - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token - echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE - aws sts get-caller-identity - npx run cdk deploy
You don't even need
chmod
andaws configure
lines.
Thank you @mpashkovskiy
Export the AWS_REGION
was resolved my issue as well
Describe the bug
When using OIDC as the following
aws CLI commands work for example
aws sts get-caller-identity
but CDK does not correctly pick this up from the profile and needs to be manually set as env vars to be picked up
I would have expected the CLI behaviour to match CDK
Expected Behavior
when using oidc, aws-cli works, cdk should work in the same way
Current Behavior
cdk misses the credentials and carries on down the chain
Reproduction Steps
This can be reproduced on bitbucket (or any provider with OIDC installed)
bitbucket pipeline example oidc: true script:
Possible Solution
No response
Additional Information/Context
No response
SDK version used
2.85.0
Environment details (OS name and version, etc.)
Bitbucket