-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use CDK to deploy to govcloud #1109
Comments
Can you post a trace captured with |
@rix0rrr Sorry for the delay... I have run the trace here: CDK toolkit version: 0.19.0 (build 2625a05)
Command line arguments: { _: [ 'deploy' ],
trace: false,
strict: false,
'ignore-errors': false,
ignoreErrors: false,
json: false,
j: false,
verbose: true,
v: true,
ec2creds: undefined,
i: undefined,
'version-reporting': undefined,
versionReporting: undefined,
'path-metadata': true,
pathMetadata: true,
version: false,
help: false,
h: false,
'role-arn': undefined,
r: undefined,
roleArn: undefined,
'$0': 'cdk',
app: undefined,
context: undefined,
plugin: undefined,
rename: undefined,
profile: undefined,
proxy: undefined,
'toolkit-stack-name': undefined,
STACKS: [] }
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
cdk.json: {
"app": "node -r dotenv/config cloudformation.js"
}
Setting "aws:cdk:toolkit:default-region" context to us-gov-west-1
Resolving default credentials
Looking up default account ID from STS
Unable to determine the default AWS account (did you configure "aws configure"?): { InvalidClientTokenId: The security token included in the request is invalid.
at Request.extractError (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
message: 'The security token included in the request is invalid.',
code: 'InvalidClientTokenId',
time: 2018-12-31T16:59:18.579Z,
requestId: '696ec36c-0d1d-11e9-8b5d-799bf40a45a1',
statusCode: 403,
retryable: false,
retryDelay: 88.73410655454008 }
Setting "aws:cdk:toolkit:default-account" context to undefined
context: { 'aws:cdk:toolkit:default-region': 'us-gov-west-1',
'aws:cdk:toolkit:default-account': undefined,
'aws:cdk:enable-path-metadata': true }
outdir: /var/folders/by/fdfp2zzj3rz9kqp819l6kpvm0000gn/T/cdkNvZgxs
outfile: /var/folders/by/fdfp2zzj3rz9kqp819l6kpvm0000gn/T/cdkNvZgxs/cdk.out
{ version: '0.19.0',
stacks:
[ { name: 'MyStack',
environment: [Object],
template: [Object],
metadata: [Object] } ],
runtime:
{ libraries:
{ dotenv: '6.1.0',
myLibrary: '1.0.0',
'@aws-cdk/cdk': '0.19.0',
'@aws-cdk/cx-api': '0.19.0',
'@aws-cdk/assets-docker': '0.19.0',
'@aws-cdk/aws-cloudformation': '0.19.0',
'@aws-cdk/aws-codepipeline-api': '0.19.0',
'@aws-cdk/aws-events': '0.19.0',
'@aws-cdk/aws-iam': '0.19.0',
'@aws-cdk/aws-ecr': '0.19.0',
'@aws-cdk/aws-lambda': '0.19.0',
'@aws-cdk/aws-cloudwatch': '0.19.0',
'@aws-cdk/aws-ec2': '0.19.0',
'@aws-cdk/aws-s3-notifications': '0.19.0',
'@aws-cdk/aws-sqs': '0.19.0',
'@aws-cdk/aws-kms': '0.19.0',
'@aws-cdk/assets': '0.19.0',
'@aws-cdk/aws-s3': '0.19.0' } } }
Removing outdir /var/folders/by/fdfp2zzj3rz9kqp819l6kpvm0000gn/T/cdkNvZgxs
Stack name not specified, so defaulting to all available stacks: MyStack
Need to perform AWS calls for account unknown-account, but no credentials found. Tried: default credentials.
Error: Need to perform AWS calls for account unknown-account, but no credentials found. Tried: default credentials.
at CredentialsCache.getCredentials (/usr/local/lib/node_modules/aws-cdk/lib/api/util/sdk.ts:191:11)
at <anonymous> |
Hi @sentient-kshaffer, thanks for getting back to us. Can you try again with version 0.20.0 or higher? It has this fix which I hope should fix this issue. |
I'm having a similar issue here (0.22.0 (build 644ebf5)). As a note, I can run stuff like Amplify without any issues. This fails with "Need to perform AWS calls for account unknown-account, but no credentials found. Tried: default credentials." error. |
Can you please run the command again with |
Having the same issue here, I've tried
|
I had similar issue and it seems that the problem was corrupted |
Creating a new service user in the sub account I'm targeting with CDK and then using their credentials in the I'd expect to not have to generate service user credentials for each sub account in my config in order to use CDK. |
This is an interesting error: From the stack trace I can tell this is happening somewhere in the AWS SDK for JavaScript during the loading of your For future reference to other people in this thread, I've made a topic that clearly spells out where the CDK's authentication mechanisms are incompatible with the AWS CLI: |
@mikeder https://github.com/aws/aws-sdk-js/blob/master/lib/shared-ini/ini-loader.js#L11 To me this seems like it would happen if you have |
Ah, @rix0rrr you're right. I just took a look at my original Thanks for reference on the auth mechanisms too 👍 |
I am having this problem WITHOUT a
error:
|
@tunagami have you looked at this issue: #1656 ? I would imagine it has something to do with the |
When running
cdk deploy
from my command line when myAWS_PROFILE
is set to my govcloud credentials. I get an error:Need to perform AWS calls for account unknown-account, but no credentials found. Tried: default credentials.
. When I switch to a profile that is for a non-gov region, then it works just fine.I have Administrator permissions in both accounts right now.
The text was updated successfully, but these errors were encountered: