Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cli): CDK CLI not working with SSO #30303

Open
bencaldwell opened this issue May 22, 2024 · 4 comments
Open

(cli): CDK CLI not working with SSO #30303

bencaldwell opened this issue May 22, 2024 · 4 comments
Labels
bug This issue is a bug. cli Issues related to the CDK CLI effort/medium Medium work item – several days of effort p2 package/tools Related to AWS CDK Tools or CLI

Comments

@bencaldwell
Copy link

Describe the bug

The cdk cli is not working with my sso profile.

If I export my profile to envars it works. So that seems like there is nothing wrong with the account and something wrong with the way cdk reads the sso profile.

I login using aws sso login --profile my-profile.
When I run cdk bootstrap aws://<my-account>/<my-region> --profile my-profile there is an error Need to perform AWS calls for account 413304634307, but no credentials have been configured

Expected Behavior

I expect to be able to run:

  1. aws sso login --profile my-profile
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Current Behavior

Current behaviour is that this throws an error "Need to perform AWS calls for account 413304634307, but no credentials have been configured"

However, if I add a step to export to envars it does work.

This works:
1. aws sso login --profile my-profile
2. $(aws configure export-credentials --profile my-profile --format env)
3. cdk bootstrap aws://my-account/my-region --profile my-profile

Reproduction Steps

Run this and see the error because sso profile doesn't work:

  1. aws sso login --profile my-profile
  2. cdk bootstrap aws://my-account/my-region --profile my-profile

Run this and it works because it has the envars it wants:

1. aws sso login --profile my-profile
2. $(aws configure export-credentials --profile my-profile --format env)
3. cdk bootstrap aws://my-account/my-region --profile my-profile

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.142.1 (build ed4e152)

Framework Version

No response

Node.js Version

v20.12.0

OS

WSL Ubuntu 22.04.4 LTS

Language

TypeScript

Language Version

No response

Other information

No response
@bencaldwell bencaldwell added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 22, 2024
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label May 22, 2024
@pahud
Copy link
Contributor

pahud commented May 22, 2024

Can you help us check:

  1. After you run aws sso login --profile my-profile with authentication, run
    aws --profile my-profile sts get-caller-identity, would you see correct identity?

  2. Can you run cdk -vv bootstrap aws://my-account/my-region --profile my-profile by enabling the verbose mode and show us the verbose logs?

  3. And, just out of curious, would this work for you?

$ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 22, 2024
@bencaldwell
Copy link
Author

Can you help us check:

  1. After you run aws sso login --profile my-profile with authentication, run
    aws --profile my-profile sts get-caller-identity, would you see correct identity?

Yes, this gives the correct identity.

  1. Can you run cdk -vv bootstrap aws://my-account/my-region --profile my-profile by enabling the verbose mode and show us the verbose logs?

Shown below.

  1. And, just out of curious, would this work for you?
$ AWS_PROFILE='my-profile' cdk bootstrap aws://my-account/my-region

No, this has the same result.

The verbose output:

cdk -vv bootstrap aws://<AWS_ACN_DEPLOY>/ap-southeast-2 --trust arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --profile my-profile
[12:46:51] CDK toolkit version: 2.142.1 (build ed4e152)
[12:46:51] Command line arguments: {
  _: [ 'bootstrap' ],
  v: 2,
  verbose: 2,
  trust: [ 'arn:aws:iam::<AWS_ACN_DEVOPS>:user/cicd' ],
  'cloudformation-execution-policies': [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  cloudformationExecutionPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  profile: 'my-profile',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': undefined,
  pathMetadata: undefined,
  'asset-metadata': undefined,
  assetMetadata: undefined,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  'bootstrap-bucket-name': undefined,
  b: undefined,
  'toolkit-bucket-name': undefined,
  toolkitBucketName: undefined,
  bootstrapBucketName: undefined,
  'bootstrap-kms-key-id': undefined,
  bootstrapKmsKeyId: undefined,
  'example-permissions-boundary': undefined,
  epb: undefined,
  examplePermissionsBoundary: undefined,
  'custom-permissions-boundary': undefined,
  cpb: undefined,
  customPermissionsBoundary: undefined,
  'bootstrap-customer-key': undefined,
  bootstrapCustomerKey: undefined,
  qualifier: undefined,
  'public-access-block-configuration': undefined,
  publicAccessBlockConfiguration: undefined,
  tags: [],
  t: [],
  execute: true,
  'trust-for-lookup': [],
  trustForLookup: [],
  force: false,
  f: false,
  'termination-protection': undefined,
  terminationProtection: undefined,
  'show-template': false,
  showTemplate: false,
  'previous-parameters': true,
  previousParameters: true,
  '$0': 'cdk',
  ENVIRONMENTS: [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ],
  'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://<AWS_ACN_DEPLOY>/ap-southeast-2' ]
}
[12:46:51] cdk.json: {
  "app": "npx ts-node --prefer-ts-exts bin/technology-radar.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ],
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
    "@aws-cdk/core:enablePartitionLiterals": true,
    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
    "@aws-cdk/aws-route53-patters:useCertificate": true,
    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
    "@aws-cdk/aws-redshift:columnId": true,
    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
    "@aws-cdk/aws-kms:aliasNameRef": true,
    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
  }
}
[12:46:51] merged settings: {
  versionReporting: true,
  assetMetadata: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node --prefer-ts-exts bin/technology-radar.ts',
  watch: {
    include: [ '**' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules',
      'test'
    ]
  },
  context: {
    '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
    '@aws-cdk/core:checkSecretUsage': true,
    '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
    '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
    '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
    '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
    '@aws-cdk/aws-iam:minimizePolicies': true,
    '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
    '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
    '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
    '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
    '@aws-cdk/core:enablePartitionLiterals': true,
    '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
    '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
    '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
    '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
    '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
    '@aws-cdk/aws-route53-patters:useCertificate': true,
    '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
    '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
    '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
    '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
    '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
    '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
    '@aws-cdk/aws-redshift:columnId': true,
    '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
    '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
    '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
    '@aws-cdk/aws-kms:aliasNameRef': true,
    '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
    '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
    '@aws-cdk/aws-efs:denyAnonymousAccess': true,
    '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
    '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
    '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
    '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
    '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
    '@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
    '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
    '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
    '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
    '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
    '@aws-cdk/aws-eks:nodegroupNameAttribute': true,
    '@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true
  },
  debug: false,
  profile: 'my-profile',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [],
  lookups: true
}
[12:46:51] Reading cached notices from /home/user/.cdk/cache/notices.json
[12:46:51] Toolkit stack: CDKToolkit
[12:46:51] Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
[12:46:51] Resolving default credentials
[12:46:51] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile my-profile did not include credential process
[12:46:51] context: {
  '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
  '@aws-cdk/core:checkSecretUsage': true,
  '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
  '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
  '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
  '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
  '@aws-cdk/aws-iam:minimizePolicies': true,
  '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
  '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
  '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
  '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
  '@aws-cdk/core:enablePartitionLiterals': true,
  '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
  '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
  '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
  '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
  '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
  '@aws-cdk/aws-route53-patters:useCertificate': true,
  '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
  '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
  '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
  '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
  '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
  '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
  '@aws-cdk/aws-redshift:columnId': true,
  '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
  '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
  '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
  '@aws-cdk/aws-kms:aliasNameRef': true,
  '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
  '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
  '@aws-cdk/aws-efs:denyAnonymousAccess': true,
  '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
  '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
  '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
  '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
  '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
  '@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials': true,
  '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource': true,
  '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse': true,
  '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
  '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope': true,
  '@aws-cdk/aws-eks:nodegroupNameAttribute': true,
  '@aws-cdk/aws-ec2:ebsDefaultGp3Volume': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': []
}
[12:46:51] outdir: cdk.out
[12:46:51] env: {
  CDK_DEFAULT_REGION: 'ap-southeast-2',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '36.0.0',
  CDK_CLI_VERSION: '2.142.1'
}
 ⏳  Bootstrapping environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2...
 ❌  Environment aws://<AWS_ACN_DEPLOY>/ap-southeast-2 failed bootstrapping: Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
    at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
    at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
    at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
    at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
    at async Promise.all (index 0)
    at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
    at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)
[12:46:54] Reading cached notices from /home/user/.cdk/cache/notices.json

Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
[12:46:54] Error: Need to perform AWS calls for account <AWS_ACN_DEPLOY>, but no credentials have been configured
    at SdkProvider.forEnvironment (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:401:659686)
    at async _BootstrapStack.lookup (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:440:20871)
    at async Bootstrapper.modernBootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:441:1084)
    at async /home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2329
    at async Promise.all (index 0)
    at async CdkToolkit.bootstrap (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:445:2174)
    at async exec4 (/home/user/.nvm/versions/node/v20.12.0/lib/node_modules/aws-cdk/lib/index.js:498:54331)

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 24, 2024
@github-actions github-actions bot mentioned this issue May 27, 2024
Closed
@pahud pahud added the cli Issues related to the CDK CLI label May 29, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@baylisscg
Copy link

Possibly related possibly not if you have a [profile default] entry in .aws/config even the workaround @bencaldwell lists won't work. Almost exactly the same stacktrace. Just a line or two further down. Deleting the profile fixes it.

@holmesjr
Copy link

holmesjr commented Aug 8, 2024

Try reconfiguring SSO. I was still set up for legacy access - switching to the new identity centre SSO config fixed this for me:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. cli Issues related to the CDK CLI effort/medium Medium work item – several days of effort p2 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@baylisscg @pahud @bencaldwell @holmesjr