Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TimeoutError: read ECONNRESET since CDK CLI >= 2.167.0 #32208

Closed
1 task done
pertunia011 opened this issue Nov 20, 2024 · 7 comments · Fixed by #32213
Closed
1 task done

TimeoutError: read ECONNRESET since CDK CLI >= 2.167.0 #32208

pertunia011 opened this issue Nov 20, 2024 · 7 comments · Fixed by #32213
Assignees
@otaviomacedo
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p0 package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member

Comments

@pertunia011
Copy link

Describe the bug

CDK commands that access an actual AWS account (e.g. diff, deploy) fails after updating CDK CLI to a version between 2.167.0 and 2.167.2 (the current latest). The commands fails even when running against a pre-synthed cdk.out directory, and so CDK library version should not matter.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166.0

Expected Behavior

CDK command succeeds and returns the expected output.

Current Behavior

CDK command fails with the following error:

Need to perform AWS calls for account 12345678910, but no credentials have been configured

Reproduction Steps

Given an arbitrary CDK app,

cdk synth # succeeds, and so programming language / CDK library version should not matter
cdk --profile [PROFILE_NAME] --debug -v diff --no-change-set -a cdk.out [STAGE NAME]/*

Note that this reproduction was done inside a corporate environment, where a HTTP proxy server is used with TLS MITM.

AWS_CA_BUNDLE=[PATH_TO_INTERNAL_CA_CERTIFICATE_FILE]
AWS_DEFAULT_REGION=ap-northeast-1
AWS_DEFAULT_SSO_REGION=ap-northeast-1
AWS_DEFAULT_SSO_START_URL=https://[...].awsapps.com/start
HTTPS_PROXY=http://[PROXY SERVER DOMAIN]
HTTP_PROXY=http://[PROXY SERVER DOMAIN]
NO_PROXY=127.0.0.1,localhost,.local,.internal,[...]

Here is an example of the AWS profile I personally use:

[default]
sso_session = sec
sso_role_name = [ROLE_NAME]
region = ap-northeast-1
output = json

[sso-session sec]
sso_start_url = https://[...].awsapps.com/start
sso_region = ap-northeast-1
sso_registration_scopes = sso:account:access

[profile PROFILE_NAME]
sso_session = sec
sso_account_id = 12345678910
sso_role_name = [ROLE_NAME]

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.2

Framework Version

No response

Node.js Version

v22.6.0

OS

Ubuntu 22.04.4 LTS

Language

Python

Language Version

No response

Other information

No response
@pertunia011 pertunia011 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 20, 2024
@github-actions github-actions bot added package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member labels Nov 20, 2024
@otaviomacedo
Copy link
Contributor

@pertunia011 Can you please post the output of cdk -vvv diff ...?

@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 20, 2024
edited
Loading

I cannot reproduce this.

With the following config:

[default]
sso_session = sec  # This should be unnecessary
sso_role_name = AdministratorAccess  # This should be unnecessary
region = eu-west-1

[sso-session sec]
sso_start_url = https://d-XXXXXXX.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

[profile customer-sso]
sso_session = sec
sso_account_id = XXXXXXXXXX
sso_role_name = AdministratorAccess

And the following commands:

$ aws --profile customer-sso sso login
$ cdk deploy --profile customer-sso -vv

It works for me. I did get the error you posted before I ran aws sso login, but then running:

$ aws sts --profile customer-sso get-caller-identity

Told me what was wrong.

More details about your config files, the commands you and, and verbose logging output would help.

(FWIW I also tried cdk diff --profile customer-sso -vv and that also worked)

@rix0rrr rix0rrr changed the title CDK CLI >= 2.167.0 starts failing on cdk diff CDK CLI >= 2.167.0 fails SSO login on cdk diff Nov 20, 2024
@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 20, 2024
edited
Loading

I see a bit of duplication of configuration. I wonder if that's confusing anything anywhere. Can you try again with some of these removed and let us know if that makes a difference?

AWS_DEFAULT_REGION=ap-northeast-1       # ⬅️ Unnecessary, value is in the config file
AWS_DEFAULT_SSO_REGION=ap-northeast-1   # ⬅️ Unnecessary, value is in the sso-session
AWS_DEFAULT_SSO_START_URL=https://[...].awsapps.com/start   # ⬅️ Unnecessary, value is in the sso-session

[default]
sso_session = sec      # ⬅️ Unnecessary, value is in the sso-session
sso_role_name = [ROLE_NAME]   # ⬅️ Unnecessary, value is in the sso-session
region = ap-northeast-1 
output = json

[sso-session sec]
sso_start_url = https://[...].http://awsapps.com/start
sso_region = ap-northeast-1
sso_registration_scopes = sso:account:access

[profile PROFILE_NAME]
sso_session = sec
sso_account_id = 12345678910
sso_role_name = [ROLE_NAME]

@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 20, 2024

I have obtained the log file from another source. The error tells me:

[16:48:38] Unable to determine the default AWS account (CredentialsProviderError): TimeoutError: read ECONNRESET

@rix0rrr rix0rrr changed the title CDK CLI >= 2.167.0 fails SSO login on cdk diff TimeoutError: read ECONNRESET since CDK CLI >= 2.167.0 Nov 20, 2024
@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 20, 2024

It looks like proxy support is broken

@otaviomacedo otaviomacedo self-assigned this Nov 20, 2024
@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 20, 2024
@iliapolo iliapolo mentioned this issue Nov 20, 2024
Merged
1 task
@iliapolo iliapolo added p0 and removed p1 labels Nov 20, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@otaviomacedo otaviomacedo

Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p0 package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): proxy is not configured correctly aws/aws-cdk
5 participants
@pahud @otaviomacedo @rix0rrr @iliapolo @pertunia011