CDK CLI produces invalid tokens in eu-south-1 region
See original GitHub issueEvery CLI command on the new eu-south-1
region (Italy - Milan) fails with errors regarding the security token, when you use the --profile
option.
Reproduction Steps
Configure your ~/.aws/credentials like this
[default]
aws_access_key_id = myaccesskeyid
aws_secret_access_key = mysecretaccesskey
and your ~/.aws/config like this
[profile myprofile]
role_arn = arn:aws:iam::123456789012:role/MyAccessRole
region = eu-south-1
source_profile = default
Then run the following command
$ cdk --profile myprofile bootstrap aws://123456789012/eu-south-1 --no-execute
Error Log
⏳ Bootstrapping environment aws://123456789012/eu-south-1...
❌ Environment aws://123456789012/eu-south-1 failed bootstrapping: InvalidClientTokenId: The security token included in the request is invalid
The security token included in the request is invalid
Environment
- CLI Version: 1.39.0 (build 5d727c1)
- Framework Version: 1.19.0 (does not really matter here)
- OS: Linux Mint 19.3 (Tricia)
- Language: Typescript
Other
My aws CLI works fine with its own --profile
option on the same configuration.
I’ve managed to make this work by authenticating “manually”, using STS and then exporting environment variables for authorization.
$ aws --profile myprofile sts assume-role --role-arn arn:aws:iam::123456789012:role/MyAccessRole --role-session-name test
$ export AWS_ACCESS_KEY_ID=<myAccessKeyId>
$ export AWS_SECRET_ACCESS_KEY=<mySecretAccessKey>
$ export AWS_SESSION_TOKEN=<generatedSessionToken>
$ cdk bootstrap aws://123456789012/eu-south-1 --no-execute
By looking at session token length I can guess that STS is releasing version 2 STS tokens.
In fact, as documented here
Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens include more characters and might affect systems where you temporarily store tokens.
it seems like new regions may only accept version 2 tokens.
I assume that CDK CLI is not using version 2 tokens here - at least when using the --profile
option - resulting in security errors on API calls.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:12 (10 by maintainers)
Top GitHub Comments
@flavioleggio thanks for the report! I think you’re right in that we are not using the version 2 tokens. I’ll dig a little and provide an update this week. stay tuned!
@slyfoxza, you are definitely my hero of the day! Setting the v2 tokens configuration in my production account, which holds my identities, I managed to use the CDK CLI with no issues. I actually had to specify the
eu-south-1
region when setting security token preferences on my production account.@shivlaks I think we can close this issue, this is related with the CDK CLI. Still I believe this procedure is not well documented. Is there some place in where we should move this?