cli: does not support SSO authentication

[FenryrMKIII]

I am following the blog post here.

When issuing the command :

cdk bootstrap aws://<account>/<region> --profile my-profile

I get a KeyError: 'CDK_DEFAULT_ACCOUNT' in my app.py

In order to try to understand the error I also ran :

cdk synth --trace --verbose --profile my-profile

and I see :

Setting "CDK_DEFAULT_REGION" environment variable to eu-west-1
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile my-profile did not include credential process
    at ProcessCredentials.load (C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:102:11)
    at ProcessCredentials.coalesceRefresh (C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:205:12)
    at ProcessCredentials.refresh (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:163:10)
    at ProcessCredentials.get (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:122:12)
    at resolveNext (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:125:17)
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:126:13
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:124:23
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:212:15
    at processTicksAndRejections (internal/process/task_queues.js:77:11) {
  code: 'ProcessCredentialsProviderFailure',
  time: 2021-06-25T08:07:47.744Z

The region is correct so somehow the profile is taken into account but not the credentials. Note that the credentials work perfectly fine if I do for example :

aws s3 ls --profile my-profile

Reproduction Steps

Copy the project :

git clone https://github.com/aws-samples/enginframe-aurora-serverless

Create a virtual environment with Python and install the dependencies e.g. using virtualenv and virtualenvwrapper :

mkvirtualenv cdk-test -p path/to/python/3.8/executable
work on cdk-test
pip install -r requirements.txt

finally, run the bootstrap command using your profile (and having performed whatever logging process this requires beforehand)

cdk bootstrap aws://<account>/<region> --profile my-profile

Note:
If you have an error with "can't find python executable" change "app": "python3 app.py", in cdk.json to "app": "python app.py",

What did you expect to happen?

The command should work without any issue

What actually happened?

The command throws an error when reading the Python file because it can't find the account because it can't find the credentials process.

Environment

• CDK CLI Version : 1.109.0
• Framework Version: ??
• Node.js Version: v14.17.1
• OS : Windows 10
• Language (Version): Python 3.8.3

Other

I am behind a company proxy (Zscaler)

---

This is 🐛 Bug Report

[FenryrMKIII]

Exploring, I see that the variables are actually not set by AWS CDK :

CDK_CLI_ASM_VERSION
CDK_CLI_VERSION
CDK_CONTEXT_JSON
CDK_DEFAULT_REGION
CDK_OUTDIR

Those are the only CDK variables I see printed out

[c7bh1]

I am experiencing a similar error when trying to bootstrap our pipeline. Some guidance would be appreciated.

[peterwoodworth]

Hey all, I'm unable to reproduce this error. I'll try to research this and get back to you.

@FenryrMKIII how did you configure your aws credentials?

@c7bh1 exactly what error are you experiencing?

[c7bh1]

I'm getting the error of "Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile myProfileName did not include credential process" when running the bootstrap command (npx cdk bootstrap --profile myProfileName aws:///).

In bin/mypipelinestack.ts I am instantiating the stack with an account id and region. My ~/.aws/credentials file looks like this:
[myProfileName]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/Admin
aws_access_key_id = ASIA
aws_secret_access_key = A5r+H/
source_profile = myProfileName
region = us-west-2

My ~/.aws/config file looks like this:
[profile myProfileName]
region = us-west-2

We are also operating behind a company proxy.

CDK CLI Version : 1.110.0
Node.js Version: v14.16.1
OS : MacOS
Language (Version): Typescript

Our aws cli seems to be working fine as we can run commands like aws s3 ls --profile myProfileName

[FenryrMKIII]

Hey all, I'm unable to reproduce this error. I'll try to research this and get back to you.

@FenryrMKIII how did you configure your aws credentials?

@c7bh1 exactly what error are you experiencing?

On my side, credentials were setup through AWS sso configure. My company uses OKTA as sso provider.

[alexandervandekleutab]

I am also having issues using aws sso configure to run any CDK commands. Does CDK not support authentication via sso?

[peterwoodworth]

Thanks for the additional info, I wonder if this has to do with the company proxy. @rix0rrr your help would be appreciated here

[rix0rrr]

@c7bh1

[myProfileName]
...
role_arn = THE_ROLE_ARN
source_profile = myProfileName

This is saying: in order to assume the role THE_ROLE_ARN in the profile myProfileName, use the credentials from myProfileName. Is that what it says in your credentials file or did you oversimplify some details here?

source_profile is supposed to point to a profile that has direct credentials, or a description of how to get credentials for the AssumeRole operation.

Also:

[profile myProfileName]
region = us-west-2

That does not seem like enough information for the credential provider to go on.

I have to confess I don't know how SSO is supposed to work. If you start your day with aws sso login or something, it might be that this is an AWS CLI-specific feature that the CDK doesn't support.

[groner]

I'm running into this today.

It looks like aws/aws-sdk-js#3736 adds SSO support to aws-sdk, but it hasn't landed yet.

Maybe things will just start working once it does?

[FenryrMKIII]

The only way I could get this to work was to manually create a credentials file in ~/.aws directory with the AWS_SECRET_KEY, ...

So it looks like this :

[myprofile]
aws_access_key_id=********
aws_secret_access_key=***************
aws_session_token=************

I was able to get those information from my company SSO login portal... I don't know how to get those information from AWS CLI because they are hidden when issuing the command aws configure list

[alexandervandekleutab]

I just ended up using the tool yawsso to generate the credentials file from sso credentials. You can configure how long those credentials are valid for.

[dan-lind]

Some more info, if it helps.
I'm using my default profile

$ aws sso login
$ aws s3 ls    <-- works fine
$ cdk diff mystack -v -v -v
...
Using proxy server: http://<redacted>.com:8080
Determining if we're on an EC2 instance.
Does not look like an EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to eu-west-1
Resolving default credentials
Retrieved account ID <redacted> from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to <redacted>
context: { .... }
...
env: {
  CDK_DEFAULT_REGION: 'eu-west-1',
  CDK_DEFAULT_ACCOUNT: '<redacted>',
  CDK_CONTEXT_JSON: '{ ... }
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '14.0.0',
  CDK_CLI_VERSION: '2.0.0-rc.23'
}
...
Stack mystack
Reading existing template for stack mystack.
[AWS cloudformation 403 593.955s 10 retries] describeStacks({ StackName: 'dev-pmd-app' })
Call failed: describeStacks({"StackName":"mystack"}) => The security token included in the request is expired (code=ExpiredToken)
The security token included in the request is expired

As you can see, besides the fact that it fails, it retries once every minute for 10 minutes to do so

I'm happy to provide more details if it helps.

[cacack]

Any news on this? I'm just beginning with CDK and attempting to bootstrap my lab development and production accounts. I use AWS SSO without an IdP; creating users and groups directly in SSO.

On the CLI, I've configured SSO using profiles in my ~/.aws/config:

[profile lab-development]
sso_start_url = https://<redacted>.awsapps.com/start
sso_account_id = <redacted>
sso_role_name = admin
sso_region = us-east-2
region = us-east-2

[profile lab-production]
sso_start_url = https://<redacted>.awsapps.com/start
sso_account_id = <redacted>
sso_role_name = admin
sso_region = us-east-2
region = us-east-2

Failing bootstrap looks like:

❯ export AWS_PROFILE=lab-development
❯ aws sso login
✖ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap --trust <redacted> --cloudformation-execution-policies arn:aws:iam::aws:policy/PowerUserAccess aws://<redacted>/us-east-2
CDK_NEW_BOOTSTRAP set, using new-style bootstrapping
 ⏳  Bootstrapping environment aws://<redacted>/us-east-2...
 ❌  Environment aws://<redacted>/us-east-2 failed bootstrapping: Error: Need to perform AWS calls for account <redacted>, but no credentials have been configured
    at SdkProvider.forEnvironment (/home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:149:46)
    at Function.lookup (/home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts:30:17)
    at Bootstrapper.modernBootstrap (/home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts:80:21)
    at /home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/lib/cdk-toolkit.ts:464:24
    at async Promise.all (index 0)
    at CdkToolkit.bootstrap (/home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/lib/cdk-toolkit.ts:461:5)
    at initCommandLine (/home/chris/devel/home/aws-workshop/sample-application-backend/node_modules/aws-cdk/bin/cdk.ts:267:9)
Need to perform AWS calls for account <redacted>, but no credentials have been configured

[cacack]

Hmm, looks like this might be a duplicate of #5455

[jessecollier]

This was just released in 2.18.0 and 1.150.0. Confirmed it's working for me now!

[peterwoodworth]

Thanks @jessecollier, you're right! Here's the PR #19454

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.