search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.35k stars 3.76k forks source link

(cli): CDK CLI not working with SSO #30303

Open bencaldwell opened 1 month ago

bencaldwell commented 1 month ago

Describe the bug

The cdk cli is not working with my sso profile.

If I export my profile to envars it works. So that seems like there is nothing wrong with the account and something wrong with the way cdk reads the sso profile.

I login using aws sso login --profile my-profile. When I run cdk bootstrap aws://<my-account>/<my-region> --profile my-profile there is an error Need to perform AWS calls for account 413304634307, but no credentials have been configured

Expected Behavior

I expect to be able to run:

  1. aws sso login --profile my-profile
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Current Behavior

Current behaviour is that this throws an error "Need to perform AWS calls for account 413304634307, but no credentials have been configured"

However, if I add a step to export to envars it does work.

This works: 1.aws sso login --profile my-profile

  1. $(aws configure export-credentials --profile my-profile --format env)
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Reproduction Steps

Run this and see the error because sso profile doesn't work:

  1. aws sso login --profile my-profile
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Run this and it works because it has the envars it wants:

1.aws sso login --profile my-profile

  1. $(aws configure export-credentials --profile my-profile --format env)
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.142.1 (build ed4e152)

Framework Version

No response

Node.js Version

v20.12.0

OS

WSL Ubuntu 22.04.4 LTS

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 1 month ago

Can you help us check:

  1. After you run aws sso login --profile my-profile with authentication, run aws --profile my-profile sts get-caller-identity, would you see correct identity?

  2. Can you run cdk -vv bootstrap aws://my-account/my-region --profile my-profile by enabling the verbose mode and show us the verbose logs?

  3. And, just out of curious, would this work for you?

    $ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region
bencaldwell commented 1 month ago

Can you help us check:

  1. After you run aws sso login --profile my-profile with authentication, run aws --profile my-profile sts get-caller-identity, would you see correct identity?

Yes, this gives the correct identity.

  1. Can you run cdk -vv bootstrap aws://my-account/my-region --profile my-profile by enabling the verbose mode and show us the verbose logs?

Shown below.

  1. And, just out of curious, would this work for you?
$ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region

No, this has the same result.

The verbose output:

cdk -vv bootstrap aws://<AWS_ACN_DEPLOY>/ap-southeast-2 --trust arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --profile my-profile
[12:46:51] CDK toolkit version: 2.142.1 (build ed4e152)
[12:46:51] Command line arguments: {
  _: [ 'bootstrap' ],
  v: 2,
  verbose: 2,
  trust: [ 'arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd' ],
  'cloudformation-execution-policies': [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  cloudformationExecutionPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  profile: 'my-profile',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': undefined,
  pathMetadata: undefined,
  'asset-metadata': undefined,
  assetMetadata: undefined,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  'bootstrap-bucket-name': undefined,
  b: undefined,
  'toolkit-bucket-name': undefined,
  toolkitBucketName: undefined,
  bootstrapBucketName: undefined,
  'bootstrap-kms-key-id': undefined,
  bootstrapKmsKeyId: undefined,
  'example-permissions-boundary': undefined,
  epb: undefined,
  examplePermissionsBoundary: undefined,
  'custom-permissions-boundary': undefined,
  cpb: undefined,
  customPermissionsBoundary: undefined,
  'bootstrap-customer-key': undefined,
  bootstrapCustomerKey: undefined,
  qualifier: undefined,
  'public-access-block-configuration': undefined,
  publicAccessBlockConfiguration: undefined,
  tags: [],
  t: [],
  execute: true,
  'trust-for-lookup': [],
  trustForLookup: [],
  force: false,
  f: false,
  'termination-protection': undefined,
  terminationProtection: undefined,
  'show-template': false,
  showTemplate: false,
  'previous-parameters': true,
  previousParameters: true,
  '$0': 'cdk',
  ENVIRONMENTS: [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ],
  'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ]
}
[12:46:51] cdk.json: {
  "app": "npx ts-node --prefer-ts-exts bin/technology-radar.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ],
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
    "@aws-cdk/core:enablePartitionLiterals": true,
    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
    "@aws-cdk/aws-route53-patters:useCertificate": true,
    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
    "@aws-cdk/aws-redshift:columnId": true,
    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
    "@aws-cdk/aws-kms:aliasNameRef": true,
    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
  }
}
[12:46:51] merged settings: {
  versionReporting: true,
  assetMetadata: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node --prefer-ts-exts bin/technology-radar.ts',
  watch: {
    include: [ '**' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules',
      'test'
    ]
  },
  context: {
    '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
    '@aws-cdk/core:checkSecretUsage': true,
    '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
    '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
    '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
    '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
    '@aws-cdk/aws-iam:minimizePolicies': true,
    '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
    '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
    '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
    '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
    '@aws-cdk/core:enablePartitionLiterals': true,
    '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
    '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
    '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
    '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
    '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
    '@aws-cdk/aws-route53-patters:useCertificate': true,
    '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
    '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
    '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
    '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
    '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
    '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
    '@aws-cdk/aws-redshift:columnId': true,
    '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
    '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
    '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
    '@aws-cdk/aws-kms:aliasNameRef': true,
    '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
    '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
    '@aws-cdk/aws-efs:denyAnonymousAccess': true,
    '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
    '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
    '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
    '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
    '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
    '@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
    '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
    '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
    '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
    '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
    '@aws-cdk/aws-eks:nodegroupNameAttribute': true,
    '@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true
  },
  debug: false,
  profile: 'my-profile',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [],
  lookups: true
}
[12:46:51] Reading cached notices from /home/user/.cdk/cache/notices.json
[12:46:51] Toolkit stack: CDKToolkit
[12:46:51] Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
[12:46:51] Resolving default credentials
[12:46:51] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile my-profile did not include credential process
[12:46:51] context: {
  '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
  '@aws-cdk/core:checkSecretUsage': true,
  '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
  '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
  '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
  '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
  '@aws-cdk/aws-iam:minimizePolicies': true,
  '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
  '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
  '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
  '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
  '@aws-cdk/core:enablePartitionLiterals': true,
  '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
  '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
  '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
  '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
  '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
  '@aws-cdk/aws-route53-patters:useCertificate': true,
  '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
  '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
  '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
  '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
  '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
  '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
  '@aws-cdk/aws-redshift:columnId': true,
  '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
  '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
  '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
  '@aws-cdk/aws-kms:aliasNameRef': true,
  '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
  '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
  '@aws-cdk/aws-efs:denyAnonymousAccess': true,
  '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
  '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
  '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
  '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
  '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
  '@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
  '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
  '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
  '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
  '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
  '@aws-cdk/aws-eks:nodegroupNameAttribute': true,
  '@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': []
}
[12:46:51] outdir: cdk.out
[12:46:51] env: {
  CDK_DEFAULT_REGION: 'ap-southeast-2',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '36.0.0',
  CDK_CLI_VERSION: '2.142.1'
}
 ⏳  Bootstrapping environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2...
 ❌  Environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2 failed bootstrapping: Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
    at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
    at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
    at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
    at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
    at async Promise.all (index 0)
    at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
    at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)
[12:46:54] Reading cached notices from /home/user/.cdk/cache/notices.json

Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
[12:46:54] Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
    at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
    at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
    at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
    at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
    at async Promise.all (index 0)
    at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
    at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)
baylisscg commented 4 weeks ago

Possibly related possibly not if you have a [profile default] entry in .aws/config even the workaround @bencaldwell lists won't work. Almost exactly the same stacktrace. Just a line or two further down. Deleting the profile fixes it.