Open bencaldwell opened 1 month ago
Can you help us check:
After you run aws sso login --profile my-profile
with authentication, run
aws --profile my-profile sts get-caller-identity
, would you see correct identity?
Can you run cdk -vv bootstrap aws://my-account/my-region --profile my-profile
by enabling the verbose mode and show us the verbose logs?
And, just out of curious, would this work for you?
$ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region
Can you help us check:
- After you run
aws sso login --profile my-profile
with authentication, runaws --profile my-profile sts get-caller-identity
, would you see correct identity?
Yes, this gives the correct identity.
- Can you run
cdk -vv bootstrap aws://my-account/my-region --profile my-profile
by enabling the verbose mode and show us the verbose logs?
Shown below.
- And, just out of curious, would this work for you?
$ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region
No, this has the same result.
The verbose output:
cdk -vv bootstrap aws://<AWS_ACN_DEPLOY>/ap-southeast-2 --trust arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --profile my-profile
[12:46:51] CDK toolkit version: 2.142.1 (build ed4e152)
[12:46:51] Command line arguments: {
_: [ 'bootstrap' ],
v: 2,
verbose: 2,
trust: [ 'arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd' ],
'cloudformation-execution-policies': [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
cloudformationExecutionPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
profile: 'my-profile',
lookups: true,
'ignore-errors': false,
ignoreErrors: false,
json: false,
j: false,
debug: false,
ec2creds: undefined,
i: undefined,
'version-reporting': undefined,
versionReporting: undefined,
'path-metadata': undefined,
pathMetadata: undefined,
'asset-metadata': undefined,
assetMetadata: undefined,
'role-arn': undefined,
r: undefined,
roleArn: undefined,
staging: true,
'no-color': false,
noColor: false,
ci: false,
'bootstrap-bucket-name': undefined,
b: undefined,
'toolkit-bucket-name': undefined,
toolkitBucketName: undefined,
bootstrapBucketName: undefined,
'bootstrap-kms-key-id': undefined,
bootstrapKmsKeyId: undefined,
'example-permissions-boundary': undefined,
epb: undefined,
examplePermissionsBoundary: undefined,
'custom-permissions-boundary': undefined,
cpb: undefined,
customPermissionsBoundary: undefined,
'bootstrap-customer-key': undefined,
bootstrapCustomerKey: undefined,
qualifier: undefined,
'public-access-block-configuration': undefined,
publicAccessBlockConfiguration: undefined,
tags: [],
t: [],
execute: true,
'trust-for-lookup': [],
trustForLookup: [],
force: false,
f: false,
'termination-protection': undefined,
terminationProtection: undefined,
'show-template': false,
showTemplate: false,
'previous-parameters': true,
previousParameters: true,
'$0': 'cdk',
ENVIRONMENTS: [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ],
'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ]
}
[12:46:51] cdk.json: {
"app": "npx ts-node --prefer-ts-exts bin/technology-radar.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
],
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
"@aws-cdk/core:enablePartitionLiterals": true,
"@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
"@aws-cdk/aws-iam:standardizedServicePrincipals": true,
"@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
"@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
"@aws-cdk/aws-route53-patters:useCertificate": true,
"@aws-cdk/customresources:installLatestAwsSdkDefault": false,
"@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
"@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
"@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
"@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
"@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
"@aws-cdk/aws-redshift:columnId": true,
"@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
"@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
"@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
"@aws-cdk/aws-kms:aliasNameRef": true,
"@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
"@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
"@aws-cdk/aws-efs:denyAnonymousAccess": true,
"@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
"@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
"@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
"@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
"@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
"@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
"@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
"@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
"@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
"@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
"@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
"@aws-cdk/aws-eks:nodegroupNameAttribute": true,
"@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
}
}
[12:46:51] merged settings: {
versionReporting: true,
assetMetadata: true,
pathMetadata: true,
output: 'cdk.out',
app: 'npx ts-node --prefer-ts-exts bin/technology-radar.ts',
watch: {
include: [ '**' ],
exclude: [
'README.md',
'cdk*.json',
'**/*.d.ts',
'**/*.js',
'tsconfig.json',
'package*.json',
'yarn.lock',
'node_modules',
'test'
]
},
context: {
'@aws-cdk/aws-lambda:recognizeLayerVersion': true,
'@aws-cdk/core:checkSecretUsage': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
'@aws-cdk/aws-iam:minimizePolicies': true,
'@aws-cdk/core:validateSnapshotRemovalPolicy': true,
'@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
'@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
'@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
'@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
'@aws-cdk/core:enablePartitionLiterals': true,
'@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
'@aws-cdk/aws-iam:standardizedServicePrincipals': true,
'@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
'@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
'@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
'@aws-cdk/aws-route53-patters:useCertificate': true,
'@aws-cdk/customresources:installLatestAwsSdkDefault': false,
'@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
'@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
'@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
'@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
'@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
'@aws-cdk/aws-redshift:columnId': true,
'@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
'@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
'@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
'@aws-cdk/aws-kms:aliasNameRef': true,
'@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
'@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
'@aws-cdk/aws-efs:denyAnonymousAccess': true,
'@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
'@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
'@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
'@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
'@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
'@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
'@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
'@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
'@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
'@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
'@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
'@aws-cdk/aws-eks:nodegroupNameAttribute': true,
'@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true
},
debug: false,
profile: 'my-profile',
toolkitBucket: {},
staging: true,
bundlingStacks: [],
lookups: true
}
[12:46:51] Reading cached notices from /home/user/.cdk/cache/notices.json
[12:46:51] Toolkit stack: CDKToolkit
[12:46:51] Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
[12:46:51] Resolving default credentials
[12:46:51] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile my-profile did not include credential process
[12:46:51] context: {
'@aws-cdk/aws-lambda:recognizeLayerVersion': true,
'@aws-cdk/core:checkSecretUsage': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
'@aws-cdk/aws-iam:minimizePolicies': true,
'@aws-cdk/core:validateSnapshotRemovalPolicy': true,
'@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
'@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
'@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
'@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
'@aws-cdk/core:enablePartitionLiterals': true,
'@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
'@aws-cdk/aws-iam:standardizedServicePrincipals': true,
'@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
'@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
'@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
'@aws-cdk/aws-route53-patters:useCertificate': true,
'@aws-cdk/customresources:installLatestAwsSdkDefault': false,
'@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
'@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
'@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
'@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
'@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
'@aws-cdk/aws-redshift:columnId': true,
'@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
'@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
'@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
'@aws-cdk/aws-kms:aliasNameRef': true,
'@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
'@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
'@aws-cdk/aws-efs:denyAnonymousAccess': true,
'@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
'@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
'@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
'@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
'@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
'@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
'@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
'@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
'@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
'@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
'@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
'@aws-cdk/aws-eks:nodegroupNameAttribute': true,
'@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true,
'aws:cdk:enable-path-metadata': true,
'aws:cdk:enable-asset-metadata': true,
'aws:cdk:version-reporting': true,
'aws:cdk:bundling-stacks': []
}
[12:46:51] outdir: cdk.out
[12:46:51] env: {
CDK_DEFAULT_REGION: 'ap-southeast-2',
CDK_OUTDIR: 'cdk.out',
CDK_CLI_ASM_VERSION: '36.0.0',
CDK_CLI_VERSION: '2.142.1'
}
⏳ Bootstrapping environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2...
❌ Environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2 failed bootstrapping: Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)
[12:46:54] Reading cached notices from /home/user/.cdk/cache/notices.json
Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
[12:46:54] Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)
Possibly related possibly not if you have a [profile default]
entry in .aws/config
even the workaround @bencaldwell lists won't work. Almost exactly the same stacktrace. Just a line or two further down. Deleting the profile fixes it.
Describe the bug
The cdk cli is not working with my sso profile.
If I export my profile to envars it works. So that seems like there is nothing wrong with the account and something wrong with the way cdk reads the sso profile.
I login using
aws sso login --profile my-profile
. When I runcdk bootstrap aws://<my-account>/<my-region> --profile my-profile
there is an errorNeed to perform AWS calls for account 413304634307, but no credentials have been configured
Expected Behavior
I expect to be able to run:
aws sso login --profile my-profile
cdk bootstrap aws://my-account/my-region --profile my-profile
Current Behavior
Current behaviour is that this throws an error "Need to perform AWS calls for account 413304634307, but no credentials have been configured"
However, if I add a step to export to envars it does work.
This works: 1.
aws sso login --profile my-profile
$(aws configure export-credentials --profile my-profile --format env)
cdk bootstrap aws://my-account/my-region --profile my-profile
Reproduction Steps
Run this and see the error because sso profile doesn't work:
aws sso login --profile my-profile
cdk bootstrap aws://my-account/my-region --profile my-profile
Run this and it works because it has the envars it wants:
1.
aws sso login --profile my-profile
$(aws configure export-credentials --profile my-profile --format env)
cdk bootstrap aws://my-account/my-region --profile my-profile
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.142.1 (build ed4e152)
Framework Version
No response
Node.js Version
v20.12.0
OS
WSL Ubuntu 22.04.4 LTS
Language
TypeScript
Language Version
No response
Other information
No response