-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(cli): (cdk fails with "Profile <profile name> did not include credential process) #25870
Comments
Thanks for reporting.
|
Thanks for the quick reply.
This is, what we expected, as setting env variable AWS_PROFILE or using --profile should return the identical response.
bin-File: #!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { CdkStack } from '../lib/cdk-stack';
const app = new cdk.App();
new CdkStack(app, 'CdkStack', {
env: { account: "<AccountB>",region: "eu-central-1" }
}); lib-File: import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = cdk.aws_ec2.Vpc.fromLookup(this, "MyVPC", {
vpcName: "MyVpcName"
});
new cdk.aws_ec2.SecurityGroup(this, "MyNewSecurityGroup", {
vpc,
description: "This will secure my resources"
});
}
} Kind Regards, |
Any news on this issue? |
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
I am facing a similar issue. An update would be greatly appreciated. |
Whats going on with this issue? We are facing the same issue but sounds like a common workflow! |
Is this a recent thing? I just now saw this. CDK worked totally fine then suddenly it's now failing with this error and in the verbose log I see UPDATE: I managed to fix this by updating the awscliv2 to the latest version, doing |
Updating: this seems to have something to do with timing. This happens if the session expires. Once it does, CDK will break and no amount of logging out and back in will help. Only waiting seems to do the trick. I have also tried clearing context, but still nothing. After waiting for hours, and then logging out and back in the problem goes away until the next day, but that is hardly a "solution". Is anyone looking into this? |
I think the problem is in
command
So I ended up assuming role and setting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables with command export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
$(aws sts assume-role-with-web-identity
--role-arn ${ROLE_ARN}
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token ${GITLAB_OIDC_TOKEN}
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text)) |
I'm pretty sure the issue here is that our current credential chain does not support We are currently in the process of upgrading from sdkv2 to sdkv3, at which point |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
This PR updates the CDK CLI to use the AWS SDK V3 instead of V2. ### Manual Test Cases for Authorization All tests were run verbosely so that I could manually check the credentials being used from the CLI output. - [x] No credentials setup and no default profile fails as expected (established to ensure nothing was unintentionally setup) - [x] Explicitly provided profile sourced from config file, tested with both `--profile` and `AWS_PROFILE` - [x] `aws_access_key_id` and `aws_secret_access_key` - [x] `aws_access_key_id` and `aws_secret_access_key` and `region` - [x] `source_profile` and `role_arn` that points to another profile with `aws_access_key_id` and `aws_secret_access_key` in both config and credentials - [x] `source_profile` and `role_arn` that points to Environment - [x] `source_profile` that and `role_arn` that points to SSO profile in both config and credentials - [x] SSO both using all fields in `[profile]` and split between `[sso-session]` and `[profile]` - [x] `credential_source` is Environment - [x] `credential_process` - [x] Explicitly provided profile sourced from credentials file - [x] `aws_access_key_id` and `aws_secret_access_key` - [x] `aws_access_key_id` and `aws_secret_access_key` and `region` - [x] `source_profile` and `role_arn` that points to another profile with `aws_access_key_id` and `aws_secret_access_key` in both config and credentials - [x] `source_profile` and `role_arn` that points to Environment - [x] `source_profile` that and `role_arn` that points to SSO profile in both config and credentials - [x] `credential_source` is Environment - [x] `credential_source` is EcsContainer (integ tests in CodeBuild) - [x] `credential_process` - [x] Default profile (in both config file and credentials file) - [x] `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables set (cleared after test) - [x] `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY` environment variables set (cleared after test) - [x] `aws_access_key_id` and `aws_secret_access_key` - [x] `aws_access_key_id` and `aws_secret_access_key` and `region` - [x] `source_profile` and `role_arn` that points to a profile with `aws_access_key_id` and `aws_secret_access_key` - [x] `source_profile` and `role_arn` that points to Environment (this will use `fromEnv` prior to getting to looking for `source_profile` in the Ini file) - [x] SSO profile is setup as default - [x] `credential_process` Closes #25870, #26292, #20956, #24744, #27265, 20896. ### Reason for this change The AWS SDK V2 is now in maintenance mode. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Otavio Macedo <288203+otaviomacedo@users.noreply.github.com> Co-authored-by: Rico Huijbers <rix0rrr@gmail.com> (cherry picked from commit 5bc0662)
Describe the bug
We want to use the CDK CLI with Gitlab Runner, which is running on EKS in Account A. cdk deploy is executed for Account B (Cross-Account Deployment).
CLI Command fails with:
We are using IRSA (IAM Role for Service Accounts), further called Role A, for the Gitlab Runner in Account A.
In Account B there is an IAM Role (Role B), which can be assumed by Role A. RoleB can assume all cdk-provisioned IAM Roles in that Account (created by cdk bootstrap).
Profile file (stored in /configmaps/awsconfig):
We have set environment variables AWS_PROFILE and AWS_CONFIG_FILE:
AWS CLI is working fine with above profile file and the environment variables:
Assuming the cdk-lookup Role from RoleB with AWS CLI works fine.
By the way: cdk also seems not to respect AWS_PROFILE environment variable as it is using the default role (it could be, that the session token by IRSA is used), when NOT using --profile.
Expected Behavior
We expect that AWS CDK CLI is acting identically to AWS CLI when using AWS profiles for Cross-Account Deployments. Environment Variable AWS_PROFILE should be respected.
Current Behavior
The CDK CLI fails that the cdk-Lookup-Role cannot be assumed, because "Profile did not include credential process". When you don't specify --profile, then default-Profile (or session token created by OIDC Provider of IAM) is used.
Reproduction Steps
You need to run a pod in EKS:
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.78.0
Framework Version
2.78.0
Node.js Version
v18.16.0
OS
node:18-alpine
Language
Typescript
Language Version
3.9.7
Other information
No response
The text was updated successfully, but these errors were encountered: