Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK Synth doesn't create CloudFormation without full credentials (1.20.0) #5791

Closed
RenkeMeuwese opened this issue Jan 14, 2020 · 7 comments · Fixed by #5803
Closed

CDK Synth doesn't create CloudFormation without full credentials (1.20.0) #5791

RenkeMeuwese opened this issue Jan 14, 2020 · 7 comments · Fixed by #5803
Assignees
@shivlaks
Labels
bug This issue is a bug. package/tools Related to AWS CDK Tools or CLI response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@RenkeMeuwese
Copy link

RenkeMeuwese commented Jan 14, 2020
edited
Loading

In CDK version 1.20.0 the command CDK synth now needs full credentials to run. This is an undocumented (?) breaking change. Creating a CloudFormation template for an account and region without the linked secret key and key ID is no longer possible. This means that my company currently cannot use 1.20.0, as the access key id and secret access key would not be available in the development of the templates. For automatic testing this would also be breaking, as we would obviously not want to have the full credentials in the repository that would do an integration test. Surely CDK should (continue to) be able to create templates without needing deployment credentials at that stage.

Reproduction Steps

Create an environment with an AWS_REGION and an AWS_ACCOUNT, but without a matching AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY.

Error Log

[Error at /test/skeleton] Need to perform AWS calls for account [redacted], but no credentials found. Tried: default credentials.

Environment

  • **CLI Version :1.20.0
  • **Framework Version:1.20.0
  • **OS :OS Mac Catalina
  • **Language :Python 3.6.5

This is 🐛 Bug Report
@RenkeMeuwese RenkeMeuwese added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2020
@richardhboyd
Copy link
Contributor

Are you preforming any fromAttributes(....) calls or uploading any assets in your code? My understanding is that these are the ones that require credentials for synth

@skinny85
Copy link
Contributor

Can you show the code that's causing this @RenkeMeuwese ?

@skinny85 skinny85 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 14, 2020
@SomayaB SomayaB added the package/tools Related to AWS CDK Tools or CLI label Jan 14, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Jan 14, 2020
@shivlaks
Copy link
Contributor

in addition to the code as requested by @skinny85 can you also run the command with --v flag and share the output? Please redact the cli output as necessary.

rix0rrr added a commit that referenced this issue Jan 15, 2020
@rix0rrr
fix(cli): proxy support
b56f159 
Proxy support was broken in the PR that introduced support for custom CA
bundles. Fix the support.

Fixes #5743, fixes #5791.
@rix0rrr rix0rrr mentioned this issue Jan 15, 2020
Merged
rix0rrr added a commit that referenced this issue Jan 15, 2020
@rix0rrr
fix(cli): proxy support
5dfec17 
Proxy support was broken in the PR that introduced support for custom CA
bundles. Fix the support.

Fixes #5743, fixes #5791.
rix0rrr added a commit that referenced this issue Jan 15, 2020
@rix0rrr
fix(cli): proxy support is broken (#5803)
3a63f57 
Proxy support was broken in the PR that introduced support for custom CA
bundles. Fix the support.

Fixes #5743, fixes #5791.
@RenkeMeuwese
Copy link
Author

Replicated the error in 1.21.1. I can see that despite the error message, the cdk.out is populated when performing cdk synth. However, the cdk.context.json is empty and the CLI seems to suggest that the synth step failed.. See the difference in output below when using a dummy value for account or an authenticated account.
outputdummyvsauthenticated.pdf

@RenkeMeuwese
Copy link
Author

Attached the output with -v
output-v.pdf

@RenkeMeuwese
Copy link
Author

Attached: code that causes the error.

Archive.zip

@RenkeMeuwese RenkeMeuwese changed the title CDK Synth doesn't create CloudFormation without full credentials (1.20.0) CDK Synth doesn't create CloudFormation without full credentials (1.21.1) Jan 17, 2020
@RenkeMeuwese RenkeMeuwese changed the title CDK Synth doesn't create CloudFormation without full credentials (1.21.1) CDK Synth doesn't create CloudFormation without full credentials (1.20.0) Jan 17, 2020
@RenkeMeuwese RenkeMeuwese mentioned this issue Jan 17, 2020
Closed
eladb pushed a commit that referenced this issue Feb 4, 2020
feat(ecs): ContainerImage.fromDockerImageAsset
b94577a 
Allow using an existing `DockerImageAsset` object as a container image in order to enable direct access to `DockerImageAsset`s API such as accessing the ECR repository, the source hash or granting permissions.

The reason this could not have been exposed through the normal `fromImageAsset` is that `ContainerImage` can be used multiple times (i.e. be bound to multiple container definitions), so there is no reliable way to allow users to access the asset.

Related to #5791 and #5983
@eladb eladb mentioned this issue Feb 4, 2020
Merged
eladb pushed a commit that referenced this issue Feb 5, 2020
feat(ecs): ContainerImage.fromDockerImageAsset (#6093)
38e9865 
Allow using an existing `DockerImageAsset` object as a container image in order to enable direct access to `DockerImageAsset`s API such as accessing the ECR repository, the source hash or granting permissions.

The reason this could not have been exposed through the normal `fromImageAsset` is that `ContainerImage` can be used multiple times (i.e. be bound to multiple container definitions), so there is no reliable way to allow users to access the asset.

Related to #5791 and #5983
@amedveshchek
Copy link

Is there any update? I have the same issue: as soon as I've added VPC to my CDK code, cdk synth started to ask for credentials.

[Error at /Lambdas-Alpha] Need to perform AWS calls for account XXXXXXXXXXX, but no credentials have been configured

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivlaks shivlaks

Labels
bug This issue is a bug. package/tools Related to AWS CDK Tools or CLI response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): proxy support is broken aws/aws-cdk
6 participants
@skinny85 @SomayaB @amedveshchek @shivlaks @RenkeMeuwese @richardhboyd