search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.94k forks source link

CLI: STS assume role operations not using proxy settings #32290

Open munch9 opened 4 days ago

munch9 commented 4 days ago

Describe the bug

When running CLI operations (synth/deploy) STS assume role operation not using proxy settings. connect ETIMEDOUT 54.239.32.126:443

Running netstat during cli operations shows repeated attempts to connect directly until timeout occurs tcp 0 1 U-1IZ5ADH66TV96.d:41412 67.220.224.163:https SYN_SENT 395770/node

npx cdk -vvv synth

[14:50:34] Retrieved account ID nnnnnnnnnnnn from disk cache
[14:50:34] [trace] SdkProvider#forEnvironment()
[14:50:34] [trace]   SdkProvider#resolveEnvironment()
[14:50:34] [trace]   SdkProvider#obtainBaseCredentials()
[14:50:34] [trace]     SdkProvider#defaultAccount()
[14:50:34] [trace]     SdkProvider#defaultCredentials()
[14:50:34] [trace]   SdkProvider#withAssumedRole()
[14:50:34] Assuming role 'arn:aws:iam::nnnnnnnnnnnn:role/cdk-hnb659fds-lookup-role-nnnnnnnnnnnn-eu-west-1'.
[14:57:18] Assuming role failed: connect ETIMEDOUT 54.239.32.126:443

Regression Issue

Last Known Working CDK Version

2.166.0

Expected Behavior

CLI commands should use proxy settings and assume role correctly

Current Behavior

Proxy is not used so connection times out

Reproduction Steps

Be behind an HTTP proxy export HTTPS_PROXY=<proxy name> Use a basic new CDK app with no or empty cdk.context.json

Create user an account with permission to assume role in the deployment target account Create a role with necessary CDK deployment permissions in target account and trust to the assuming account root Export user session credentials into the virtual environment

Synth stack and cdk.context.json is correctly populated.

repeat steps with any higher version of aws-cdk >2.166.0 and error is seen

Minimal working example package.json

{
    "dependencies": {
      "aws-cdk": "2.166.0"
    }
}

requirements.txt

aws-cdk-lib==2.166.0
constructs>=10.0.0,<11.0.0

app.py

from aws_cdk import App, Stack, Environment
from aws_cdk.aws_ec2 import Vpc

env = Environment(account="012345678910", region="eu-east-1")

app = App()

class myStack(Stack):
    def __init__(self, scope, id, **kwargs):
        super().__init__(scope, id, **kwargs)
        vpc = Vpc.from_lookup(self, "vpc", vpc_id="DEAFUL-VPC-ID")

stack = myStack(app, "stack", env=env)

app.synth()

As a reverse test to prove the behaviour if not behind a proxy you can use a similar example. set a non existent proxy value export HTTPS_PROXY=http://localhost:8181 using cdk <=2.166.0 this will fail to synth as invalid proxy will be used and fail to connect using cdk >2.166.0 will synth correctly as proxy setting is ignored

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.171.0

Framework Version

No response

Node.js Version

v20.12.1

OS

22.04

Language

Python

Language Version

3.9.20

Other information

No response

pahud commented 4 days ago

looking into this issue now.

pahud commented 4 days ago

The team is aware of this issue and is working on the fix at https://github.com/aws/aws-cdk/pull/32291

pahud commented 4 days ago

internal D181250979

rix0rrr commented 3 days ago

The issue is known and the fix is here: https://github.com/aws/aws-cdk/pull/32291

A fixed version will be released December 6th.