Closed
Description
Describe the bug
When setting up a project from scratch with SSO credentials, CDK fails to authorize.
The steps I'm following are as follows:
- Configure my credentials using
aws configure sso aws sso login --profile my-org-dev- I set the account and region in
bin/{stack}.ts AWS_PROFILE=my-org-dev cdk deploy
I receive the following error message:
$ AWS_PROFILE=my-org-dev cdk deploy
# Output:
# ✨ Synthesis time: 3.42s
#
#
# ❌ Deployment failed: Error: Need to perform AWS calls for account 123456789012, but no credentials have been configuredExpected Behavior
I expect CDK to be compatible with credentials generated with aws configure sso and aws sso login.
Current Behavior
When deploying, I get the following output:
$ AWS_PROFILE=my-org-dev cdk deploy -vvv
# Output:
# [18:26:42] CDK toolkit version: 2.97.0 (build d7cf3be)
# [18:26:42] Command line arguments: {
# _: [ 'deploy' ],
# v: 3,
# verbose: 3,
# lookups: true,
# 'ignore-errors': false,
# ignoreErrors: false,
# json: false,
# j: false,
# debug: false,
# ec2creds: undefined,
# i: undefined,
# 'version-reporting': undefined,
# versionReporting: undefined,
# 'path-metadata': undefined,
# pathMetadata: undefined,
# 'asset-metadata': undefined,
# assetMetadata: undefined,
# 'role-arn': undefined,
# r: undefined,
# roleArn: undefined,
# staging: true,
# 'no-color': false,
# noColor: false,
# ci: false,
# all: false,
# 'build-exclude': [],
# E: [],
# buildExclude: [],
# force: false,
# f: false,
# parameters: [ {} ],
# 'previous-parameters': true,
# previousParameters: true,
# logs: true,
# concurrency: 1,
# 'asset-prebuild': true,
# assetPrebuild: true,
# '$0': '/Users/buggs/node/n/bin/cdk'
# }
# [18:26:42] cdk.json: {
# "app": "npx ts-node --prefer-ts-exts bin/tmp.3f08_ww_ph.ts",
# "watch": {
# "include": [
# "**"
# ],
# "exclude": [
# "README.md",
# "cdk*.json",
# "**/*.d.ts",
# "**/*.js",
# "tsconfig.json",
# "package*.json",
# "yarn.lock",
# "node_modules",
# "test"
# ]
# },
# "context": {
# "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
# "@aws-cdk/core:checkSecretUsage": true,
# "@aws-cdk/core:target-partitions": [
# "aws",
# "aws-cn"
# ],
# "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
# "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
# "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
# "@aws-cdk/aws-iam:minimizePolicies": true,
# "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
# "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
# "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
# "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
# "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
# "@aws-cdk/core:enablePartitionLiterals": true,
# "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
# "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
# "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
# "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
# "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
# "@aws-cdk/aws-route53-patters:useCertificate": true,
# "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
# "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
# "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
# "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
# "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
# "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
# "@aws-cdk/aws-redshift:columnId": true,
# "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
# "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
# "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
# "@aws-cdk/aws-kms:aliasNameRef": true,
# "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
# "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
# "@aws-cdk/aws-efs:denyAnonymousAccess": true,
# "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
# "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
# "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
# "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
# "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true
# }
# }
# [18:26:42] merged settings: {
# versionReporting: true,
# assetMetadata: true,
# pathMetadata: true,
# output: 'cdk.out',
# app: 'npx ts-node --prefer-ts-exts bin/tmp.3f08_ww_ph.ts',
# watch: {
# include: [ '**' ],
# exclude: [
# 'README.md',
# 'cdk*.json',
# '**/*.d.ts',
# '**/*.js',
# 'tsconfig.json',
# 'package*.json',
# 'yarn.lock',
# 'node_modules',
# 'test'
# ]
# },
# context: {
# '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
# '@aws-cdk/core:checkSecretUsage': true,
# '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
# '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
# '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
# '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
# '@aws-cdk/aws-iam:minimizePolicies': true,
# '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
# '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
# '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
# '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
# '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
# '@aws-cdk/core:enablePartitionLiterals': true,
# '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
# '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
# '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
# '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
# '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
# '@aws-cdk/aws-route53-patters:useCertificate': true,
# '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
# '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
# '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
# '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
# '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
# '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
# '@aws-cdk/aws-redshift:columnId': true,
# '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
# '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
# '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
# '@aws-cdk/aws-kms:aliasNameRef': true,
# '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
# '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
# '@aws-cdk/aws-efs:denyAnonymousAccess': true,
# '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
# '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
# '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
# '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
# '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true
# },
# debug: false,
# toolkitBucket: {},
# staging: true,
# bundlingStacks: [ '**' ],
# lookups: true,
# assetPrebuild: true
# }
# [18:26:42] [trace] SdkProvider#withAwsCliCompatibleDefaults()
# [18:26:42] Determining if we're on an EC2 instance.
# [18:26:42] Does not look like an EC2 instance.
# [18:26:42] Reading cached notices from /Users/buggs/.cdk/cache/notices.json
# [18:26:42] Toolkit stack: CDKToolkit
# [18:26:42] Setting "CDK_DEFAULT_REGION" environment variable to eu-north-1
# [18:26:42] [trace] SdkProvider#defaultAccount()
# [18:26:42] [trace] SdkProvider#defaultCredentials()
# [18:26:42] Resolving default credentials
# [18:26:42] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile my-org-dev did not include credential process
# [18:26:42] context: {
# '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
# '@aws-cdk/core:checkSecretUsage': true,
# '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
# '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
# '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
# '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
# '@aws-cdk/aws-iam:minimizePolicies': true,
# '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
# '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
# '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
# '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
# '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
# '@aws-cdk/core:enablePartitionLiterals': true,
# '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
# '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
# '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
# '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
# '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
# '@aws-cdk/aws-route53-patters:useCertificate': true,
# '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
# '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
# '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
# '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
# '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
# '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
# '@aws-cdk/aws-redshift:columnId': true,
# '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
# '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
# '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
# '@aws-cdk/aws-kms:aliasNameRef': true,
# '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
# '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
# '@aws-cdk/aws-efs:denyAnonymousAccess': true,
# '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
# '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
# '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
# '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
# '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
# 'aws:cdk:enable-path-metadata': true,
# 'aws:cdk:enable-asset-metadata': true,
# 'aws:cdk:version-reporting': true,
# 'aws:cdk:bundling-stacks': [ '**' ]
# }
# [18:26:42] outdir: cdk.out
# [18:26:42] env: {
# CDK_DEFAULT_REGION: 'eu-north-1',
# CDK_OUTDIR: 'cdk.out',
# CDK_CLI_ASM_VERSION: '34.0.0',
# CDK_CLI_VERSION: '2.97.0'
# }
#
# ✨ Synthesis time: 2.13s
#
# [18:26:44] Checking for previously published assets
# [18:26:44] [trace] SdkProvider#resolveEnvironment()
# [18:26:44] [trace] SdkProvider#baseCredentialsPartition()
# [18:26:44] [trace] SdkProvider#resolveEnvironment()
# [18:26:44] [trace] SdkProvider#obtainBaseCredentials()
# [18:26:44] [trace] SdkProvider#defaultAccount()
# [18:26:44] [trace] SdkProvider#forEnvironment()
# [18:26:44] [trace] SdkProvider#resolveEnvironment()
# [18:26:44] [trace] SdkProvider#obtainBaseCredentials()
# [18:26:44] [trace] SdkProvider#defaultAccount()
#
# ❌ Deployment failed: Error: Need to perform AWS calls for account 123456789012, but no credentials have been configured
# at SdkProvider.forEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:367:13075)
# at async Deployments.cachedSdkForEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:12383)
# at async Deployments.prepareSdkFor (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:7949)
# at async Deployments.isSingleAssetPublished (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:11602)
# at async /Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:165302
# [18:26:44] Reading cached notices from /Users/buggs/.cdk/cache/notices.json
#
# Need to perform AWS calls for account 123456789012, but no credentials have been configured
# [18:26:44] Error: Need to perform AWS calls for account 123456789012, but no credentials have been configured
# at SdkProvider.forEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:367:13075)
# at async Deployments.cachedSdkForEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:12383)
# at async Deployments.prepareSdkFor (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:7949)
# at async Deployments.isSingleAssetPublished (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:11602)
# at async /Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:165302Getting my current session details:
$ AWS_PROFILE=cdk-error-demo aws sts get-caller-identity --output yaml
# Output:
# Account: '123456789012'
# Arn: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyRoleNameWith_alongrandomsuffix/[email protected]
# UserId: ANACCESSKEYIDORSECRETNEVERTHELESSREDACTED:[email protected]This is what my AWS_CONFIG_FILE looks like:
[profile my-org-dev]
sso_session = Admin in My Org
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = eu-north-1
[sso-session 'Admin in My Org']
sso_start_url = https://acme.awsapps.com/start#
sso_region = eu-central-1
sso_registration_scopes = sso:account:accessReproduction Steps
-
I install
aws-cdkand check the version:$ cdk --version # Output: # 2.97.0 (build d7cf3be)
-
I back up my
AWS_CONFIG_FILEand delete the existing file:if test -n "$AWS_CONFIG_FILE" -a -f "$AWS_CONFIG_FILE" cp "$AWS_CONFIG_FILE" "$AWS_CONFIG_FILE.$(date +%s).bak"; and rm "$AWS_CONFIG_FILE" end if test -f "$HOME/.aws/config" cp "$HOME/.aws/config" "$HOME/.aws/config.$(date +%s).bak"; and rm "$HOME/.aws/config" end test ! -f "$HOME/.aws/config" -a ! -f "$AWS_CONFIG_FILE"; or echo "Files still present, abort!";
-
I go to the SSO start URL for my organization, https://acme.awsapps.com/start. Under the account I want to use, I click Command line or programmatic access, where I read the following instructions:
configure the AWS CLI to retrieve them automatically using the
aws configure ssocommand -
In my shell, I configure the AWS CLI using
aws configure sso:$ aws configure sso --profile my-org-dev # Output (interactive): # SSO session name (Recommended): Admin in My Org # SSO start URL [None]: https://acme.awsapps.com/start# # SSO region [None]: eu-central-1 # SSO registration scopes [sso:account:access]: # Attempting to automatically open the SSO authorization page in your default browser. # If the browser does not open or you wish to use a different device to authorize this request, open the following URL: # # https://device.sso.eu-central-1.amazonaws.com/ # # Then enter the code: # # BRDX-HVMG # There are 5 AWS accounts available to you. # Using the account ID 123412341234 # The only role available to you is: AdministratorAccess # Using the role name "AdministratorAccess" # CLI default client Region [None]: eu-north-1 # CLI default output format [None]: # # To use this profile, specify the profile name using --profile, as shown: # # aws s3 ls --profile my-org-dev
-
In my shell, I verify that I have a valid session:
$ AWS_PROFILE=my-org-dev aws sts get-caller-identity --output yaml # Output: # Account: '048445190004' # Arn: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_alongrandomsuffix/[email protected] # UserId: ANACCESSKEYIDORSECRETNEVERTHELESSREDACTED:[email protected] $ AWS_PROFILE=my-org-dev aws cloudformation list-stacks --query StackSummaries # (This is successful, this role has administrative privileges).
-
I initialize a CDK project in a new directory:
$ AWS_PROFILE=my-org-dev cd (mktemp -d); and cdk init app --language=typescript # Output (partial): # # ... # ✅ All done!
-
I attempt to deploy the stack, which fails because CDK cannot determine which account to use:
$ AWS_PROFILE=my-org-dev cdk deploy # Output: # ✨ Synthesis time: 2.38s # # # ❌ Deployment failed: Error: Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
-
I follow the instructions in
bin/{the application name}.ts, as indicated in the output from the failingcdk deploy, and add:env: { account: '123456789012', region: 'eu-north-1' },
-
I attempt to deploy the stack, which fails because CDK cannot find the credentials:
$ AWS_PROFILE=my-org-dev cdk deploy # Output: # ✨ Synthesis time: 2.2s # # # ❌ Deployment failed: Error: Need to perform AWS calls for account 048445190004, but no credentials have been configured
If I remove the sso-session block and move some settings up to the my-org-dev profile, I am able to deploy:
- I make the following changes to my
$AWS_CONFIG_FILE:--- /Users/buggs/.aws/config.old 2023-09-24 18:15:43 +++ /Users/buggs/.aws/config 2023-09-24 18:15:57 @@ -1,9 +1,6 @@ [profile my-org-dev] -sso_session = Admin in My Org sso_account_id = 123412341234 sso_role_name = AdministratorAccess region = eu-north-1 -[sso-session 'Admin in My Org'] sso_start_url = https://acme.awsapps.com/start# sso_region = eu-central-1 -sso_registration_scopes = sso:account:access
- I attempt to deploy the stack, which now succeeds:
AWS_PROFILE=my-org-dev cdk deploy # Output (partial): # (...) # ✅ Tmp3F08WwPhStack # (...) # ✨ Total time: 15.91s
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.97.0 (build d7cf3be)
Framework Version
No response
Node.js Version
18.14.0
OS
macOS 13.4 (22F66)
Language
Typescript
Language Version
~5.2.2
Other information
Similar issues
This seems to be somewhat related to a couple of other issues.
- (cli): (cdk fails with "Profile <profile name> did not include credential process) #25870 has the same "credential process" issue, but is not related to SSO
- (cli): CDK CLI is not discovering SSO Credentials #23520 has the exact same issue. Following the instructions from (cli): CDK CLI is not discovering SSO Credentials #23520 (comment) does not give the same results (
aws --profile my-org-dev sts get-caller-identitysucceeds, butnpx cdk diff --profile my-org-devfails like above). As far as I can tell, my$AWS_CONFIG_FILEhas the same properties. - Need to perform AWS calls for account XXX, but no credentials have been configured but they are #20935 has recent comments from people experiencing similar issues
- cli: unable to resolve AWS account to use with CLI with SSO #24744 has similar issues with resolving the account ID for SSO credentials