Skip to content
This repository has been archived by the owner on Dec 7, 2021. It is now read-only.

Will this run with any language or just typescript? #31

Closed
mrpackethead opened this issue Apr 19, 2021 · 6 comments · Fixed by #48
Closed

Will this run with any language or just typescript? #31

mrpackethead opened this issue Apr 19, 2021 · 6 comments · Fixed by #48
Labels
released

Comments

@mrpackethead
Copy link

It seems it shoud'nt but so far i'm failing miserably to get it to work.
@higorcoliveira
Copy link

hi @mrpackethead Did you able to get this working?

I'm using typescript in my cdk app. I executed cdk synth and the output was successful.

Then I runned cdk deploy --all and got this error:

HelloCdkStack-analytics Need to perform AWS calls for account XXXXXXXXX, but the current credentials are for YYYYYYYYY, and none of these plugins found any: AssumeRoleCredentialPlugin

Account XXXXXXXXX already have the permissions cdk-readOnlyRole and cdk-writeRole, with the trusted account YYYYYYYYY.

My cdk.json is something like this:

  "app": "npx ts-node --prefer-ts-exts bin/hello-cdk.ts",
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:enableStackNameDuplicates": "true",
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:stackRelativeExports": "true",
    "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
    "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
    "@aws-cdk/aws-kms:defaultKeyPolicies": true,
    "@aws-cdk/aws-s3:grantWriteWithoutAcl": true,
    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true
  },
  "plugin": ["cdk-assume-role-credential-plugin"]
}

I'm struggled for two days with this.

@mrpackethead
Copy link
Author

I gave up on it.. and solved the problem in a differnet way. However i had similar issues with my 'otherway' as well. The fix for that was that aws-sdk, ( which was installed with aws-cdk ) had issues with the dealing with credentials. Upgrading sdk fixed the problem. I can't help but thing, that perhaps the problem i had was not this module, but a problem with sdk.

@corymhall
Copy link
Contributor

@mrpackethead @higorcoliveira can you paste the verbose logs? (cdk deploy -v). Most of the issues like this that I've seen end up being something with how the default credentials on your machine are getting loaded, but I might be able to help troubleshoot.

@higorcoliveira
Copy link

higorcoliveira commented Jun 1, 2021
edited
Loading

Sorry for the late response @corymhall, I had to dig in another solution because this problem was blocking my work.

I managed to get the deploy working in my local machine, just adjusted the aws-cdk version and the cdk libs to the same one (in this case, I'm using 1.106.1).

However, in my CI pipeline the problem persists. I put -v for verbose and the error does not make sense, it's something relative to a missing region. I already set the region in my pipeline's environment variable (AWS_DEFAULT_REGION).

This is the error:

  • cdk bootstrap -v
    CDK toolkit version: 1.106.1 (build c832c1b)
    Command line arguments: {
    _: [ 'bootstrap' ],
    v: 1,
    verbose: 1,
    lookups: true,
    'ignore-errors': false,
    ignoreErrors: false,
    json: false,
    j: false,
    debug: false,
    ec2creds: undefined,
    i: undefined,
    'version-reporting': undefined,
    versionReporting: undefined,
    'path-metadata': true,
    pathMetadata: true,
    'asset-metadata': true,
    assetMetadata: true,
    'role-arn': undefined,
    r: undefined,
    roleArn: undefined,
    staging: true,
    'no-color': false,
    noColor: false,
    fail: false,
    'bootstrap-bucket-name': undefined,
    b: undefined,
    'toolkit-bucket-name': undefined,
    toolkitBucketName: undefined,
    bootstrapBucketName: undefined,
    'bootstrap-kms-key-id': undefined,
    bootstrapKmsKeyId: undefined,
    'bootstrap-customer-key': undefined,
    bootstrapCustomerKey: undefined,
    qualifier: undefined,
    'public-access-block-configuration': undefined,
    publicAccessBlockConfiguration: undefined,
    tags: [],
    t: [],
    execute: true,
    trust: [],
    'cloudformation-execution-policies': [],
    cloudformationExecutionPolicies: [],
    force: false,
    f: false,
    'termination-protection': undefined,
    terminationProtection: undefined,
    'show-template': false,
    showTemplate: false,
    '$0': '/usr/local/bin/cdk'
    }
    cdk.json: {
    "app": "npx ts-node --prefer-ts-exts bin/bizcap-iam-policy-roles-creation.ts",
    "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:enableStackNameDuplicates": "true",
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:stackRelativeExports": "true",
    "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
    "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
    "@aws-cdk/aws-kms:defaultKeyPolicies": true,
    "@aws-cdk/aws-s3:grantWriteWithoutAcl": true,
    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true
    },
    "plugin": [
    "cdk-assume-role-credential-plugin"
    ]
    }
    merged settings: {
    versionReporting: true,
    pathMetadata: true,
    output: 'cdk.out',
    app: 'npx ts-node --prefer-ts-exts bin/bizcap-iam-policy-roles-creation.ts',
    context: {
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:enableStackNameDuplicates': 'true',
    'aws-cdk:enableDiffNoFail': 'true',
    '@aws-cdk/core:stackRelativeExports': 'true',
    '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
    '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
    '@aws-cdk/aws-kms:defaultKeyPolicies': true,
    '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
    '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-efs:defaultEncryptionAtRest': true
    },
    plugin: [ 'cdk-assume-role-credential-plugin' ],
    debug: false,
    assetMetadata: true,
    toolkitBucket: {},
    staging: true,
    bundlingStacks: [],
    lookups: true
    }
    Determining if we're on an EC2 instance.
    Looks like an EC2 instance.
    Loading plug-in: cdk-assume-role-credential-plugin from /usr/local/lib/node_modules/cdk-assume-role-credential-plugin/lib/index.js
    Toolkit stack: CDKToolkit
    Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
    Resolving default credentials
    Looking up default account ID from STS
    Default account ID: XXXXXXXXXXXX
    Setting "CDK_DEFAULT_ACCOUNT" environment variable to XXXXXXXXXXXX
    context: {
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:enableStackNameDuplicates': 'true',
    'aws-cdk:enableDiffNoFail': 'true',
    '@aws-cdk/core:stackRelativeExports': 'true',
    '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
    '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
    '@aws-cdk/aws-kms:defaultKeyPolicies': true,
    '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
    '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-efs:defaultEncryptionAtRest': true,
    'aws:cdk:enable-path-metadata': true,
    'aws:cdk:enable-asset-metadata': true,
    'aws:cdk:version-reporting': true,
    'aws:cdk:bundling-stacks': []
    }
    outdir: cdk.out
    env: {
    CDK_DEFAULT_REGION: 'us-east-1',
    CDK_DEFAULT_ACCOUNT: 'XXXXXXXXXXXX',
    CDK_CONTEXT_JSON: '{"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:enableStackNameDuplicates":"true","aws-cdk:enableDiffNoFail":"true","@aws-cdk/core:stackRelativeExports":"true","@aws-cdk/aws-ecr-assets:dockerIgnoreSupport":true,"@aws-cdk/aws-secretsmanager:parseOwnedSecretName":true,"@aws-cdk/aws-kms:defaultKeyPolicies":true,"@aws-cdk/aws-s3:grantWriteWithoutAcl":true,"@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-efs:defaultEncryptionAtRest":true,"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":[]}',
    CDK_OUTDIR: 'cdk.out',
    CDK_CLI_ASM_VERSION: '11.0.0',
    CDK_CLI_VERSION: '1.106.1'
    }
    ⏳ Bootstrapping environment aws://YYYYYYYYYYYY/us-east-1...
    ⏳ Bootstrapping environment aws://ZZZZZZZZZZZZ/us-east-1...
    ⏳ Bootstrapping environment aws://XXXXXXXXXXXX/us-east-1...
    Waiting for stack CDKToolkit to finish creating or updating...
    AssumeRoleCredentialPlugin found value for readIamRole cdk-readOnlyRole. checking if we can obtain credentials
    AssumeRoleCredentialPlugin found value for readIamRole cdk-readOnlyRole. checking if we can obtain credentials
    error assuming role Error [ConfigError]: Missing region in config
    at Request.optInRegionalEndpoint (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/services/sts.js:75:30)
    at Request.callListeners (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:408:15)
    at /usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:797:12
    at new Promise ()
    at Request.promise (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:783:12) {
    code: 'ConfigError',
    time: 2021-06-01T21:23:16.378Z
    }
    error assuming role Error [ConfigError]: Missing region in config
    at Request.optInRegionalEndpoint (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/services/sts.js:75:30)
    at Request.callListeners (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:408:15)
    at /usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:797:12
    at new Promise ()
    at Request.promise (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:783:12) {
    code: 'ConfigError',
    time: 2021-06-01T21:23:16.383Z
    }
    AssumeRoleCredentialPlugin cannot obtain credentials for role cdk-readOnlyRole
    AssumeRoleCredentialPlugin found value for writeIamRole cdk-writeRole. checking if we can obtain credentials
    AssumeRoleCredentialPlugin cannot obtain credentials for role cdk-readOnlyRole
    AssumeRoleCredentialPlugin found value for writeIamRole cdk-writeRole. checking if we can obtain credentials
    error assuming role Error [ConfigError]: Missing region in config
    at Request.optInRegionalEndpoint (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/services/sts.js:75:30)
    at Request.callListeners (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:408:15)
    at /usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:797:12
    at new Promise ()
    at Request.promise (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:783:12) {
    code: 'ConfigError',
    time: 2021-06-01T21:23:16.387Z
    }
    error assuming role Error [ConfigError]: Missing region in config
    at Request.optInRegionalEndpoint (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/services/sts.js:75:30)
    at Request.callListeners (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:408:15)
    at /usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:797:12
    at new Promise ()
    at Request.promise (/usr/local/lib/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:783:12) {
    code: 'ConfigError',
    time: 2021-06-01T21:23:16.389Z
    }
    AssumeRoleCredentialPlugin cannot obtain credentials for role cdk-writeRole
    canProvideCredentails for read role: false
    canProvideCredentails for write role: false
    AssumeRoleCredentialPlugin cannot obtain credentials for role cdk-writeRole
    canProvideCredentails for read role: false
    canProvideCredentails for write role: false
    ❌ Environment aws://YYYYYYYYYYYY/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account YYYYYYYYYYYY, but the current credentials are for XXXXXXXXXXXX, and none of these plugins found any: AssumeRoleCredentialPlugin
    at SdkProvider.forEnvironment (/usr/local/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:154:60)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at Function.lookup (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts:30:17)
    at Bootstrapper.legacyBootstrap (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts:60:21)
    at /usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:362:24
    at async Promise.all (index 0)
    at CdkToolkit.bootstrap (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:359:5)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:209:9)
    ❌ Environment aws://ZZZZZZZZZZZZ/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account ZZZZZZZZZZZZ, but the current credentials are for XXXXXXXXXXXX, and none of these plugins found any: AssumeRoleCredentialPlugin
    at SdkProvider.forEnvironment (/usr/local/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:154:60)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at Function.lookup (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts:30:17)
    at Bootstrapper.legacyBootstrap (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts:60:21)
    at /usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:362:24
    at async Promise.all (index 1)
    at CdkToolkit.bootstrap (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:359:5)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:209:9)
    Need to perform AWS calls for account YYYYYYYYYYYY, but the current credentials are for XXXXXXXXXXXX, and none of these plugins found any: AssumeRoleCredentialPlugin
    Error: Need to perform AWS calls for account YYYYYYYYYYYY, but the current credentials are for XXXXXXXXXXXX, and none of these plugins found any: AssumeRoleCredentialPlugin
    at SdkProvider.forEnvironment (/usr/local/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:154:60)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at Function.lookup (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts:30:17)
    at Bootstrapper.legacyBootstrap (/usr/local/lib/node_modules/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts:60:21)
    at /usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:362:24
    at async Promise.all (index 0)
    at CdkToolkit.bootstrap (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:359:5)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:209:9)
    CDKToolkit: checking if we can skip deploy
    CDKToolkit: skipping deployment (use --force to override)
    ✅ Environment aws://XXXXXXXXXXXX/us-east-1 bootstrapped (no changes).
    Searching for test report files in directories named [test-results, failsafe-reports, test-reports, surefire-reports] down to a depth of 4
    Finished scanning for test reports. Found 0 test report files.
    Merged test suites, total number tests is 0, with 0 failures and 0 errors.

@mspolitaev
Copy link

@higorcoliveira had same problem: Missing region in config. Problem was looks like that plugin can't see AWS_DEFAULT_REGION env variable, when trying switch from initial credentials. So, for example, you have specified credentials for dev account by set vars: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and deploys are fine, even without var for region. But when cdk need deploy to prod account it use plugin to obtain role's credentials, this time error: Missing region in config happened, and even specify this var export AWS_DEFAULT_REGION=us-east-1 don't help.

But help specify region in ~/.aws/config file:

[default]
region=us-east-1
# also credentials can be specified here, not in env vars

AND, what is important, file ~/.aws/credentials should exists. It can be empty, but without him problem won't gone, at least it was in my case. Can change location of ~/.aws/config by set AWS_CONFIG_FILE env and it will still work.

@mdhornet90 mdhornet90 mentioned this issue Jun 29, 2021
Closed
@corymhall corymhall mentioned this issue Aug 13, 2021
Merged
corymhall added a commit that referenced this issue Aug 13, 2021
@corymhall
feat: load aws_default_ environment variables (#48)
6622a13 
now use the aws_default_region and aws_default_profile environment variables if aws_region and aws_profile are not set

fix #42 #31
github-actions bot pushed a commit that referenced this issue Aug 13, 2021
@semantic-release-bot
chore(release): 1.4.0 [skip ci]
7706655 
# [1.4.0](v1.3.0...v1.4.0) (2021-08-13)

### Features

* load aws_default_ environment variables ([#48](#48)) ([6622a13](6622a13)), closes [#42](#42) [#31](#31)
@github-actions
Copy link

🎉 This issue has been resolved in version 1.4.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: load aws_default_ environment variables corymhall/cdk-assume-role-credential-plugin
4 participants
@mrpackethead @higorcoliveira @mspolitaev @corymhall