Skip to content
This repository has been archived by the owner on Dec 7, 2021. It is now read-only.

error assuming role Error [ConfigError]: Missing region in config #42

Closed
mdhornet90 opened this issue Jun 29, 2021 · 2 comments · Fixed by #48
Closed

error assuming role Error [ConfigError]: Missing region in config #42

mdhornet90 opened this issue Jun 29, 2021 · 2 comments · Fixed by #48
Labels
released

Comments

@mdhornet90
Copy link

mdhornet90 commented Jun 29, 2021
edited
Loading

I'm having an issue using this plugin in the gitlab CI that corresponds to this stack trace:

AssumeRoleCredentialPlugin found value for readIamRole CDKAdminAccess. checking if we can obtain credentials
error assuming role Error [ConfigError]: Missing region in config
    at Request.optInRegionalEndpoint (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/services/sts.js:75:30)
    at Request.callListeners (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:408:15)
    at /builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:797:12
    at new Promise (<anonymous>)
    at Request.promise (/builds/foo/node_modules/cdk-assume-role-credential-plugin/node_modules/aws-sdk/lib/request.js:783:12) {
  code: 'ConfigError',
  time: 2021-06-29T00:38:56.510Z
}

The error appears to correspond with the following function in https://github.com/aws-samples/cdk-assume-role-credential-plugin/blob/main/lib/assume-role-source.ts:

   /**
   * Try to assume the specified role and return the credentials or undefined
   */
  private async tryAssumeRole(roleArn: string, accountId: string): Promise<AWS.STS.Credentials | undefined> {
    
    const region = this.config && this.config.settings && this.config.settings.get(["context"]).region;

    region && AWS.config.update({ region });

    const sts = new AWS.STS({
      credentials: await this.defaultCredentials(),  ...(region && { region }),
    });
 
    let response: AWS.STS.Credentials | undefined;
    try {
      const resp = await sts.assumeRole({
        RoleArn: roleArn,
        RoleSessionName: `${accountId}-session`
      }).promise();
      response = resp.Credentials;
    } catch (e) {
      logging.debug('error assuming role %s', e)
      return undefined
    }
    return response
  }

This always works locally for me using yarn cdk diff and the appropriate AWS_ACCESS_KEY_ID + secret combo. I was hoping that this response would solve the issue but no luck. Any idea what's going on? Why does this plugin, when running in a CI environment rather than on my local machine, always fail to find a region?
@cailyncodes
Copy link

I found this helpful to solving the core issue: aws/aws-sdk-js#2929

I think the error was coming from the aws-sdk-js package here:

optInRegionalEndpoint: function optInRegionalEndpoint(req) {
    var service = req.service;
    var config = service.config;
    config.stsRegionalEndpoints = resolveRegionalEndpointsFlag(service._originalConfig, {
      env: ENV_REGIONAL_ENDPOINT_ENABLED,
      sharedConfig: CONFIG_REGIONAL_ENDPOINT_ENABLED,
      clientConfig: 'stsRegionalEndpoints'
    });
    if (
      config.stsRegionalEndpoints === 'regional' &&
      service.isGlobalEndpoint
    ) {
      //client will throw if region is not supplied; request will be signed with specified region
      if (!config.region) {
        throw AWS.util.error(new Error(),
          {code: 'ConfigError', message: 'Missing region in config'});
      }
      var insertPoint = config.endpoint.indexOf('.amazonaws.com');
      var regionalEndpoint = config.endpoint.substring(0, insertPoint) +
        '.' + config.region + config.endpoint.substring(insertPoint);
      req.httpRequest.updateEndpoint(regionalEndpoint);
      req.httpRequest.region = config.region;
    }
  }

Investigating that repo's issues list, I came across the above. It also linked out to https://github.com/aws/aws-sdk-go/search?q=AWS_DEFAULT_REGION&unscoped_q=AWS_DEFAULT_REGION which adds a comment about AWS_DEFAULT_REGION behavior.

The fix for me was to set AWS_REGION in the CI pipeline. (I would likewise guess that setting AWS_SDK_LOAD_CONFIG=true would work)

corymhall added a commit to corymhall/cdk-assume-role-credential-plugin that referenced this issue Aug 13, 2021
@corymhall
feat: load aws_default_ environment variables
bf77072 
now use the aws_default_region and aws_default_profile environment variables if aws_region and
aws_profile are not set

fix aws-samples#42
@corymhall corymhall mentioned this issue Aug 13, 2021
Merged
corymhall added a commit that referenced this issue Aug 13, 2021
@corymhall
feat: load aws_default_ environment variables (#48)
6622a13 
now use the aws_default_region and aws_default_profile environment variables if aws_region and aws_profile are not set

fix #42 #31
github-actions bot pushed a commit that referenced this issue Aug 13, 2021
@semantic-release-bot
chore(release): 1.4.0 [skip ci]
7706655 
# [1.4.0](v1.3.0...v1.4.0) (2021-08-13)

### Features

* load aws_default_ environment variables ([#48](#48)) ([6622a13](6622a13)), closes [#42](#42) [#31](#31)
@github-actions
Copy link

🎉 This issue has been resolved in version 1.4.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: load aws_default_ environment variables corymhall/cdk-assume-role-credential-plugin
2 participants
@mdhornet90 @cailyncodes