Unexpected behavior of default environment (region/account)
See original GitHub issueHiya friends!
AWS IS SO SECURE š
Tl;dr I have some creds in my env
> env | grep AWS
AWS_ACCESS_KEY_ID=nope
AWS_SECRET_ACCESS_KEY=nope
AWS_SESSION_TOKEN=nice try
ā[brelandā®Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ā]-
And Iād love to use them:
ā[brelandā®Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ā]-
ā> ../aws-cdk-toolkit/bin/cdk -v bootstrap
Defaults: { "app": "node index.js"}
Obtaining default region from AWS configuration
Setting "default-region" context to undefined
Looking up default account ID from STS
Setting "default-account" context to 532610000315
node index.js '{"type":"list","context":{"default-account":"532610000315"}}'
Stack name not specified, so defaulting to all available stacks: SWA
ā³ Bootstrapping environment 532610000315/us-west-1...
ā Environment 532610000315/us-west-1 failed bootstrapping: Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
at SDK.getCredentialProvider (/Users/breland/repos/aws-cdk/packages/aws-cdk-toolkit/lib/api/util/sdk.ts:124:15)
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:160:7)
ā[brelandā®Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ā]-
Is there some magic trick I need to use? The docs would indicate this should workā¦ What am I missing?
Issue Analytics
- State:
- Created 5 years ago
- Comments:12 (12 by maintainers)
Top Results From Across the Web
Solved: Default environment created in wrong region
Solved: My default environment is located in the US but the admin account is connected to a Canadian domain. I understand that I...
Read more >USER LIST Command | unityadmin | Teradata Unity - 16.51 - USER ...
See how this command lists the defined user mappings and optionally filters by matching criteria.
Read more >Example policies for working with the AWS CLI or an AWS SDK
By default, users don't have permissions to describe, start, stop, ... "arn:aws:ec2: region : account-id :instance/*", "arn:aws:ec2: region ...
Read more >Programmatic Environmental Impact Statement For Northern ...
8.3 Environmental Consequences to Biological Resources. ... infrastructure may behave in an unplanned and generally undesirable manner.
Read more >Using the SageMaker Python SDK
add_argument('--learning-rate', type=float, default=0.1) # an alternative way to load hyperparameters via SM_HPS environment variable. parser.add_argument('--smĀ ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@Doug-AWS using environment variables for credentials should be transparent. However there is an order of precedence which is definitely something we should document well
Letās work backwards from the desired behavior (without toolkit credentials plugins installed):
env
is not specified when a stack is created, the account and region should be exactly like theaws cli
would behave if--region
was not specified, based on the default credentials chain as @Doug-AWS indicates.env.region
is specified (noaccount
), then the account should derive from the default credentials chain but region should be based on the region.env.account
is also specified, thenregion
must also be defined (?) and then the toolkit should be defensive and fail if the default credentials chain didnāt include credentials for that account.https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
for instructions on how to configure credentials.Now for some implementation-related issues. I think one of the reasons we keep seeing inconsistencies is because there were previously conflicting instructions on specifying the
default-region
anddefault-account
contextual parameters incdk.json
(or~/.cdk.json
). These parameters superseded the normal behavior and things got messy.Since we still need to relay the region/account in case they are not explicitly specified when a
Stack
is created, My recommendation is to deprecatedefault-account
anddefault-region
(error if they are specified) and use a different context argument to pass the default account/region from the toolkit. Perhaps something likecdk:toolkit:defaultenv=<ACCOUNT>/<REGION>
. This argument should never be explicitly specified incdk.json
(maybe we can even add some defense that doesnāt allow context that starts with ācdk:ā to be specified by humansā¦).