Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unexpected behavior of default environment (region/account)

See original GitHub issue

Hiya friends!

AWS IS SO SECURE 🔐

Tl;dr I have some creds in my env

> env | grep AWS
AWS_ACCESS_KEY_ID=nope
AWS_SECRET_ACCESS_KEY=nope
AWS_SESSION_TOKEN=nice try
┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-

And I’d love to use them:

┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-
└> ../aws-cdk-toolkit/bin/cdk -v bootstrap
Defaults: {  "app": "node index.js"}
Obtaining default region from AWS configuration
Setting "default-region" context to undefined
Looking up default account ID from STS
Setting "default-account" context to 532610000315
node index.js '{"type":"list","context":{"default-account":"532610000315"}}'
Stack name not specified, so defaulting to all available stacks: SWA
 ⏳  Bootstrapping environment 532610000315/us-west-1...
 ❌  Environment 532610000315/us-west-1 failed bootstrapping: Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
    at SDK.getCredentialProvider (/Users/breland/repos/aws-cdk/packages/aws-cdk-toolkit/lib/api/util/sdk.ts:124:15)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:160:7)
┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-

Is there some magic trick I need to use? The docs would indicate this should work… What am I missing?

Issue Analytics

State:
Created 5 years ago
Comments:12 (12 by maintainers)

Top GitHub Comments

1reaction

eladbcommented, Jun 11, 2018

@Doug-AWS using environment variables for credentials should be transparent. However there is an order of precedence which is definitely something we should document well

0reactions

eladbcommented, Jun 19, 2018

Let’s work backwards from the desired behavior (without toolkit credentials plugins installed):

If env is not specified when a stack is created, the account and region should be exactly like the aws cli would behave if --region was not specified, based on the default credentials chain as @Doug-AWS indicates.
If only env.region is specified (no account), then the account should derive from the default credentials chain but region should be based on the region.
If env.account is also specified, then region must also be defined (?) and then the toolkit should be defensive and fail if the default credentials chain didn’t include credentials for that account.
If there are no credentials configured in the default credentials chain, the toolkit should fail with an error “missing credentials”, and link to https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html for instructions on how to configure credentials.

Now for some implementation-related issues. I think one of the reasons we keep seeing inconsistencies is because there were previously conflicting instructions on specifying the default-region and default-account contextual parameters in cdk.json (or ~/.cdk.json). These parameters superseded the normal behavior and things got messy.

Since we still need to relay the region/account in case they are not explicitly specified when a Stack is created, My recommendation is to deprecate default-account and default-region (error if they are specified) and use a different context argument to pass the default account/region from the toolkit. Perhaps something like cdk:toolkit:defaultenv=<ACCOUNT>/<REGION>. This argument should never be explicitly specified in cdk.json (maybe we can even add some defense that doesn’t allow context that starts with “cdk:” to be specified by humans…).

Top Results From Across the Web

Solved: Default environment created in wrong region

Solved: My default environment is located in the US but the admin account is connected to a Canadian domain. I understand that I...

USER LIST Command | unityadmin | Teradata Unity - 16.51 - USER ...

See how this command lists the defined user mappings and optionally filters by matching criteria.

Example policies for working with the AWS CLI or an AWS SDK

By default, users don't have permissions to describe, start, stop, ... "arn:aws:ec2: region : account-id :instance/*", "arn:aws:ec2: region ...

Programmatic Environmental Impact Statement For Northern ...

8.3 Environmental Consequences to Biological Resources. ... infrastructure may behave in an unplanned and generally undesirable manner.

Using the SageMaker Python SDK

add_argument('--learning-rate', type=float, default=0.1) # an alternative way to load hyperparameters via SM_HPS environment variable. parser.add_argument('--sm ...