Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cr.AwsCustomResource: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 #23736

Closed
svyotov opened this issue Jan 18, 2023 · 3 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. p2

Comments

@svyotov
Copy link

svyotov commented Jan 18, 2023

Describe the bug

CDK is failing with Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
when we use cr.AwsCustomResource with cross account assumedRoleArn role.
It works fine when it is called only once, but if there are two separate calls with different accounts assumedRoleArn the resource fails with the error above.

Expected Behavior

Not to fail

Current Behavior

Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

Reproduction Steps

const id = "..."
const assumedRoleArn1 = "arn:..."
const assumedRoleArn2 = "arn:..."
const scope = "..."

[[assumedRoleArn1, "first"], [assumedRoleArn2, "second"]].forEach(values => {
  const assumedRoleArn = values[0];
  const parameterName = values[1];
  const resourceId = id + parameterName
  cr.AwsCustomResource(scope, resourceId, {
    resourceType: `Custom::getParameter-${parameterName}`,
    onUpdate:  {
      assumedRoleArn: assumedRoleArn,
      service: 'SSM',
      action: 'getParameter',
      parameters: {
        Name: parameterName
      },
      physicalResourceId: { id: resourceId }
    },
    logRetention: 30,
    functionName: `getParameter-${parameterName}`,
    policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
      resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE
    })
  }).getResponseField('Parameter.Value');
}

Possible Solution

assumedRoleArn1 and assumedRoleArn2 are from 2 different AWS accounts, separate from the account running the cloudformation

Additional Information/Context

No response

CDK CLI Version

2.60.0 (build 2d40d77)

Framework Version

om

Node.js Version

v16.14.0

OS

Linux

Language

Typescript

Language Version

TypeScript (3.8.3)

Other information

No response

@svyotov svyotov added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 18, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 18, 2023
@pahud pahud added investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 1, 2023
@pahud pahud self-assigned this Mar 1, 2023
@pahud pahud added the p2 label Mar 15, 2023
@Lewenhaupt
Copy link

I think this is related to #15425

@pahud
Copy link
Contributor

pahud commented Aug 7, 2024

resolving from #15425

Feel free to create a new issue if you believe it's still relevant. Thanks.

@pahud pahud closed this as completed Aug 7, 2024
@pahud pahud removed their assignment Aug 7, 2024
@pahud pahud removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-reproduction This issue needs reproduction. labels Aug 7, 2024
Copy link

github-actions bot commented Aug 7, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. p2
Projects
None yet
Development

No branches or pull requests

3 participants