Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
aws-cdk: assumed roles using source_profile from SSO sources cannot get credentials
See original GitHub issueDescribe the bug
When trying to acquire credentials using a assumed role source_profile connected to an SSO profile, I receive the following error
[Error at /CdkStack] Need to perform AWS calls for account 123456789012, but no credentials have been configured
Expected Behavior
Credentials to be loaded correctly, and ProcessCredentialsProviderFailure not to be called. ProcessCredentialsProvider should not be used in this case.
Current Behavior
Trace logs:
[2022-04-13 17:52:58] user@PC MSYS /c/Dev/ws/CDKTestProject/cdk
$ npx cdk synth -v --profile my-assumed-sso-role
CDK toolkit version: 2.20.0 (build 738ef49)
Command line arguments: {
_: [ 'synth' ],
v: 1,
verbose: 1,
profile: 'my-assumed-sso-role',
lookups: true,
'ignore-errors': false,
ignoreErrors: false,
json: false,
j: false,
debug: false,
ec2creds: undefined,
i: undefined,
'version-reporting': undefined,
versionReporting: undefined,
'path-metadata': true,
pathMetadata: true,
'asset-metadata': true,
assetMetadata: true,
'role-arn': undefined,
r: undefined,
roleArn: undefined,
staging: true,
'no-color': false,
noColor: false,
validation: true,
quiet: false,
q: false,
'$0': 'node_modules\\aws-cdk\\bin\\cdk'
}
cdk.json: {
"app": "npx ts-node --prefer-ts-exts bin/app.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"@aws-cdk/core:stackRelativeExports": true,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"@aws-cdk/aws-lambda:recognizeVersionProps": true,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
]
}
}
merged settings: {
versionReporting: true,
pathMetadata: true,
output: 'cdk.out',
app: 'npx ts-node --prefer-ts-exts bin/app.ts',
watch: {
include: [ '**' ],
exclude: [
'README.md',
'cdk*.json',
'**/*.d.ts',
'**/*.js',
'tsconfig.json',
'package*.json',
'yarn.lock',
'node_modules',
'test'
]
},
context: {
'@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
'@aws-cdk/core:stackRelativeExports': true,
'@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
'@aws-cdk/aws-lambda:recognizeVersionProps': true,
'@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ]
},
debug: false,
assetMetadata: true,
profile: 'my-assumed-sso-role',
toolkitBucket: {},
staging: true,
bundlingStacks: [ '*' ],
lookups: true
}
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile my-assumed-sso-role did not include credential process
at ProcessCredentials2.load (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:102:11)
at ProcessCredentials2.coalesceRefresh (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials.js:205:12)
at ProcessCredentials2.refresh (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:163:10)
at ProcessCredentials2.get2 [as get] (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials.js:122:12)
at resolveNext2 (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:125:17)
at C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:126:13
at C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials.js:124:23
at C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-sdk\lib\credentials.js:212:15
at processTicksAndRejections (node:internal/process/task_queues:78:11) {
code: 'ProcessCredentialsProviderFailure',
time: 2022-04-13T09:53:07.307Z
}
context: {
'@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
'@aws-cdk/core:stackRelativeExports': true,
'@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
'@aws-cdk/aws-lambda:recognizeVersionProps': true,
'@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
'aws:cdk:enable-path-metadata': true,
'aws:cdk:enable-asset-metadata': true,
'aws:cdk:version-reporting': true,
'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
CDK_DEFAULT_REGION: 'ap-southeast-2',
CDK_CONTEXT_JSON: '{"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:stackRelativeExports":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-lambda:recognizeVersionProps":true,"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021":true,"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver":true,"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName":true,"@aws-cdk/core:target-partitions":["aws","aws-cn"],"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
CDK_OUTDIR: 'cdk.out',
CDK_CLI_ASM_VERSION: '17.0.0',
CDK_CLI_VERSION: '2.20.0'
}
Notices refreshed
Some context information is missing. Fetching...
Setting "vpc-provider:account=123456789012:filter.vpc-id=vpc-00000000000000000:region=ap-southeast-2:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account 123456789012, but no credentials have been configured","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
context: {
'vpc-provider:account=123456789012:filter.vpc-id=vpc-00000000000000000:region=ap-southeast-2:returnAsymmetricSubnets=true': {
'$providerError': 'Need to perform AWS calls for account 123456789012, but no credentials have been configured',
'$dontSaveContext': true
},
'@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
'@aws-cdk/core:stackRelativeExports': true,
'@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
'@aws-cdk/aws-lambda:recognizeVersionProps': true,
'@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
'aws:cdk:enable-path-metadata': true,
'aws:cdk:enable-asset-metadata': true,
'aws:cdk:version-reporting': true,
'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
CDK_DEFAULT_REGION: 'ap-southeast-2',
CDK_CONTEXT_JSON: '{"vpc-provider:account=123456789012:filter.vpc-id=vpc-00000000000000000:region=ap-southeast-2:returnAsymmetricSubnets=true":{"$providerError":"Need to perform AWS calls for account 123456789012, but no credentials have been configured","$dontSaveContext":true},"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:stackRelativeExports":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-lambda:recognizeVersionProps":true,"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021":true,"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver":true,"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName":true,"@aws-cdk/core:target-partitions":["aws","aws-cn"],"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
CDK_OUTDIR: 'cdk.out',
CDK_CLI_ASM_VERSION: '17.0.0',
CDK_CLI_VERSION: '2.20.0'
}
Not making progress trying to resolve environmental context. Giving up.
[Error at /CdkStack] Need to perform AWS calls for account 123456789012, but no credentials have been configured
Annotations.addMessage (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk-lib\core\lib\annotations.ts:99:25)
Annotations.addError (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk-lib\core\lib\annotations.ts:58:10)
Function.getValue (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk-lib\core\lib\context-provider.ts:111:31)
Function.fromLookup (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk-lib\aws-ec2\lib\vpc.ts:1161:66)
new CdkStack (C:\Dev\ws\CDKTestProject\cdk\lib\cdk-stack.ts:20:33)
Object.<anonymous> (C:\Dev\ws\CDKTestProject\cdk\bin\app.ts:8:1)
Module._compile (node:internal/modules/cjs/loader:1103:14)
Module.m._compile (C:\Dev\ws\CDKTestProject\cdk\node_modules\ts-node\src\index.ts:1056:23)
Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
Object.require.extensions.<computed> [as .ts] (C:\Dev\ws\CDKTestProject\cdk\node_modules\ts-node\src\index.ts:1059:12)
Module.load (node:internal/modules/cjs/loader:981:32)
Function.Module._load (node:internal/modules/cjs/loader:822:12)
Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
main (C:\Dev\ws\CDKTestProject\cdk\node_modules\ts-node\src\bin.ts:198:14)
Object.<anonymous> (C:\Dev\ws\CDKTestProject\cdk\node_modules\ts-node\src\bin.ts:288:3)
Module._compile (node:internal/modules/cjs/loader:1103:14)
Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
Module.load (node:internal/modules/cjs/loader:981:32)
Function.Module._load (node:internal/modules/cjs/loader:822:12)
Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
node:internal/main/run_main_module:17:47
Found errors
Error: Found errors
at StackCollection.processMetadataMessages (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk\lib\api\cxapp\cloud-assembly.ts:274:13)
at CdkToolkit.validateStacks (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk\lib\cdk-toolkit.ts:644:12)
at CdkToolkit.selectStacksForDiff (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk\lib\cdk-toolkit.ts:623:10)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at CdkToolkit.synth (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk\lib\cdk-toolkit.ts:507:20)
at initCommandLine (C:\Dev\ws\CDKTestProject\cdk\node_modules\aws-cdk\lib\cli.ts:342:12)
Reproduction Steps
~/.aws/config contains SSO profile and an assumed role profile
$ cat ~/.aws/config
[profile default]
region = ap-southeast-2
[profile my-sso-role]
sso_start_url = https://XXXXXXXX.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = 123456789012-DevOps
region = ap-southeast-2
[profile my-assumed-sso-role]
source_profile = my-sso-role
role_arn = arn:aws:iam::123456789012:role/Role-DevOps-IP-Restricted
region = ap-southeast-2
~/.aws/credentials is currently empty, but I’ve tried with a default profile and it doesn’t make a difference
Running npx cdk synth --profile my-assumed-sso-role causes the error.
Running aws sts get-caller-identity --profile my-assumed-sso-role shows a valid session.
Possible Solution
Possibly bump the bundled aws-sdk version
Additional Information/Context
No response
CDK CLI Version
2.20.0 (build 738ef49)
Framework Version
No response
Node.js Version
v16.14.2
OS
Windows
Language
Typescript
Language Version
No response
Other information
I suspect that it’s actually an upstream issue with aws-sdk related to source_profile which was recently fixed, such as https://github.com/aws/aws-sdk-js-v3/pull/2221
Issue Analytics
- State:
- Created a year ago
- Reactions:4
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Assume role credentials - AWS SDKs and Tools
EcsContainer – Specifies that the SDK or tool is to use the IAM role attached to the ECS container to get source credentials....
Read more >credentials can not be used to assume new style deployment ...
I have root credentials in ~/.aws/credentials . Looking at the deploy role policy, I don't see any sts permissions. What am I missing?...
Read more >Never put AWS temporary credentials in the ... - Ben Kehoe
Assuming a role and using the credentials. Now, to interact in a different account, it's common for the IAM User to have AssumeRole...
Read more >Replace your long-term keys by temporary credentials with ...
It says who can access your account and what this person/service can and cannot do. For applications running in the cloud, IAM roles...
Read more >How to set up AWS CLI with AWS Single Sign-On (SSO)
In short: To get access to your AWS Account with the AWS CLI and AWS SSO, you need to install AWS CLI and...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
turns out when using source profiles, the CDK will always try to create a
SharedIniFileCredentials, which SSO credentials are not. Adding SSO credentials to the source profile loading logic resolves this.@comcalvi: Are you seeing issues resolving credentials while synthing? Being able to synth a stack is not what I’d consider success criteria. It’s possible for the credentials process to fail and for the stack to still synth. This is the same for any cdk command like
cdk lsorcdk synth.In the case I’ve got, I’m using a VPC lookup. So on a synth with an empty context it would fail. If I manually set the context, or I use a non-sso profile/creds to fetch and set the context, every subsequent synth works even if it can’t fetch credentials.
Are you able to
cdk deployusing the assumed role?