Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(assets): Publish command always looks for credentials in `.aws/credentials`

See original GitHub issue

Running the following command cdk-assets publish --path cdk.out/Frontend.assets.json fails on my computer because I don’t have credentials hardcoded in my .aws/credentials file.

Error: ENOENT: no such file or directory, open '/Users/<myuser>/.aws/credentials'
    at Object.openSync (fs.js:476:3)
    at Object.readFileSync (fs.js:377:35)
    at Object.readFileSync (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/util.js:95:26)
    at IniLoader.parseFile (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:6:47)
    at IniLoader.loadFrom (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Config.region (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/node_loader.js:101:36)
    at Config.set (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/config.js:514:39)
    at Config.<anonymous> (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/config.js:349:12)
    at Config.each (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/util.js:512:32)
    at new Config (/usr/local/lib/node_modules/cdk-assets/node_modules/aws-sdk/lib/config.js:348:19) {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/Users/<myuser>/.aws/credentials'
}

Reproduction Steps

Run cdk-assets publish without having credentials in .aws/credentials.

What did you expect to happen?

I expect cdk-assets to let the aws-sdk use the DefaultCredentialsProvider so that my credentials can be picked up from the environment variables. I don’t want to have harcoded credentials in my .aws/credentials file.

What actually happened?

cdk-assets fails to find credentials.

Environment

CDK CLI Version : cdk-assets 1.86.0
Framework Version:
Node.js Version: v14.14.0
OS : macOS Catalina
Language (Version): Typescript 3.8

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:10 (2 by maintainers)

Top GitHub Comments

2reactions

zMeadzcommented, Sep 8, 2022

For others that run into Pipeline (or remote) cdk-asset publishing / auth issues:

As referenced in packages/aws-cdk/lib/api/aws-auth/sdk.ts, makeDetailedException, the error Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 is generic.

I ran into the same error, but my pipeline did not have permissions to assume the roles responsible for publishing. The fix was the following:

import { PipelineProject } from '@aws-cdk/aws-codebuild';
import { EnvironmentPlaceholders } from '@aws-cdk/cx-api';
import { DefaultStackSynthesizer } from '@aws-cdk/core';
import { Effect, PolicyStatement } from '@aws-cdk/aws-iam';

const assetsPipelineProject: PipelineProject;
...

let fileAssetRole = DefaultStackSynthesizer.DEFAULT_FILE_ASSET_PUBLISHING_ROLE_ARN
    .replace('${Qualifier}', DefaultStackSynthesizer.DEFAULT_QUALIFIER);

fileAssetRole = EnvironmentPlaceholders.replace(fileAssetRole, {
    accountId: <awsAccount>,
    region: <awsRegion>,
    partition: Aws.PARTITION,
});

assetsPipelineProject.addToRolePolicy(
  new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['sts:AssumeRole'],
    resources: [fileAssetRole],
  })

If you are publishing docker images, then create a role using DefaultStackSynthesizer.DEFAULT_IMAGE_ASSET_PUBLISHING_ROLE_ARN and add it to the policy’s resources.

2reactions

eladbcommented, Feb 15, 2021

I don’t see a problem with enabling this in cdk-asset, assigning to @rix0rrr for more feedback. I think we will happily accept a contribution.