(api/aws-auth): Error on CDK commands when user does not exist

[adambro]

What is the problem?

In some cases (i.e. Docker container) a system user might not be in /etc/passwd file. It causes cdk diff (for example) to fail.

Reproduction Steps

For any CDK project run cli via docker container that has newly created user. for example:

docker run --rm -v `pwd`:/usr/src/app -w /usr/src/app -u 1001 -e NO_UPDATE_NOTIFIER=1 -e npm_config_cache=/tmp -e CDK_HOME=/tmp -v ~/.aws:/.aws node:14 npm run cdk diff

What did you expect to happen?

By looking at code of safeUsername() function it's just used as part of RoleSessionName name. It could have a nice fallback to i.e. $USER env var or just predefined default value. The function is very simple:

function safeUsername() {
    return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@');
}

What actually happened?

It causes cdk diff (for example) to fail with following stack trace:

Stack EksCdkStack
Reading existing template for stack EksCdkStack.
Retrieved account ID xxx from disk cache
Assuming role 'arn:aws:iam::xxx:role/cdk-hnb659fds-lookup-role-xxx-eu-west-1'.
SystemError [ERR_SYSTEM_ERROR]: A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)
    at new SystemError (internal/errors.js:217:5)
    at new NodeError (internal/errors.js:302:7)
    at Object.userInfo (os.js:347:11)
    at safeUsername (/usr/src/app/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:462:13)
    at SdkProvider.withAssumedRole (/usr/src/app/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:348:37)
    at SdkProvider.forEnvironment (/usr/src/app/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:189:28)

CDK CLI Version

2.10.0 (build e5b301f)

Framework Version

No response

Node.js Version

v14.19.0

OS

Ubuntu 20.04

Language

Typescript

Language Version

No response

Other information

I can contribute PR if you wish. Any hints of fallback value are appreciated :)

[rittneje]

We are seeing the same from cdk synth. And we already have role credentials, so it shouldn't be trying to calculate a role session name.

With regards to the fallback, maybe just use the uid? Might also be helpful to include the hostname too.

[rix0rrr]

Duplicate of #7937.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[adambro]

Hey @rix0rrr the #7937 bug is about problem with cdkHomeDir, which I took care of by setting CDK_HOME=/tmp env var. I bet if people do set CDK_HOME they will encounter the problem with safeUsername() as I described here. So those are related, but not duplicated.