Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CDK CLI produces invalid tokens in eu-south-1 region
See original GitHub issueEvery CLI command on the new eu-south-1 region (Italy - Milan) fails with errors regarding the security token, when you use the --profile option.
Reproduction Steps
Configure your ~/.aws/credentials like this
[default]
aws_access_key_id = myaccesskeyid
aws_secret_access_key = mysecretaccesskey
and your ~/.aws/config like this
[profile myprofile]
role_arn = arn:aws:iam::123456789012:role/MyAccessRole
region = eu-south-1
source_profile = default
Then run the following command
$ cdk --profile myprofile bootstrap aws://123456789012/eu-south-1 --no-execute
Error Log
⏳ Bootstrapping environment aws://123456789012/eu-south-1...
❌ Environment aws://123456789012/eu-south-1 failed bootstrapping: InvalidClientTokenId: The security token included in the request is invalid
The security token included in the request is invalid
Environment
- CLI Version: 1.39.0 (build 5d727c1)
- Framework Version: 1.19.0 (does not really matter here)
- OS: Linux Mint 19.3 (Tricia)
- Language: Typescript
Other
My aws CLI works fine with its own --profile option on the same configuration.
I’ve managed to make this work by authenticating “manually”, using STS and then exporting environment variables for authorization.
$ aws --profile myprofile sts assume-role --role-arn arn:aws:iam::123456789012:role/MyAccessRole --role-session-name test
$ export AWS_ACCESS_KEY_ID=<myAccessKeyId>
$ export AWS_SECRET_ACCESS_KEY=<mySecretAccessKey>
$ export AWS_SESSION_TOKEN=<generatedSessionToken>
$ cdk bootstrap aws://123456789012/eu-south-1 --no-execute
By looking at session token length I can guess that STS is releasing version 2 STS tokens.
In fact, as documented here
Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens include more characters and might affect systems where you temporarily store tokens.
it seems like new regions may only accept version 2 tokens.
I assume that CDK CLI is not using version 2 tokens here - at least when using the --profile option - resulting in security errors on API calls.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:12 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@flavioleggio thanks for the report! I think you’re right in that we are not using the version 2 tokens. I’ll dig a little and provide an update this week. stay tuned!
@slyfoxza, you are definitely my hero of the day! Setting the v2 tokens configuration in my production account, which holds my identities, I managed to use the CDK CLI with no issues. I actually had to specify the
eu-south-1region when setting security token preferences on my production account.@shivlaks I think we can close this issue, this is related with the CDK CLI. Still I believe this procedure is not well documented. Is there some place in where we should move this?