CDK Synth gives error if credentials are incomplete (1.21.1)

[RenkeMeuwese]

This is a reposting of #5791, which was linked to PR #5803 but persists from 1.20.0 to 1.21.1.

Reproduction Steps

Using an account not linked to credentials from the default configuration gives errors in the execution of cdk synth.

Error Log

context: {
  'availability-zones:account=2:region=us-east-2': {
    '$providerError': 'Need to perform AWS calls for account 2, but no credentials found. Tried: default credentials.',
    '$dontSaveContext': true
  },
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'eu-central-1',
  CDK_DEFAULT_ACCOUNT: '[redacted-main account]',
  CDK_CONTEXT_JSON: '{"availability-zones:account=2:region=us-east-2":{"$providerError":"Need to perform AWS calls for account 2, but no credentials found. Tried: default credentials.","$dontSaveContext":true},"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.21.1'
}
Not making progress trying to resolve environmental context. Giving up.
[Error at /upg/skeleton] Need to perform AWS calls for account 2, but no credentials found. Tried: default credentials.

Environment

• **CLI Version :1.21.1
• **Framework Version:1.21.1
• **OS :Mac OS Catalina
• **Language :Python

Other

Attached: output file with -v, and output with authentication, which is what we do not want to do at the stage that cdk synth is called. And the code that causes the error, zipped.

Archive.zip

output-v.pdf
outputdummyvsauthenticated.pdf

---

This is 🐛 Bug Report

[rix0rrr]

This is suspicious to me:

Reading AZs for 2:us-east-2
Setting "availability-zones:account=2:region=us-east-2" context to
{"$providerError":"Need to perform AWS calls for account 2, but no credentials
found. Tried: default credentials.","$dontSaveContext":true}

Where is that account number 2 coming from?

[rix0rrr]

(That should have said [redacted-main-account])

[rix0rrr]

Can you cat cdk.out/manifest.json for me?

[rix0rrr]

Seems to be coming from here:

        self.env = core.Environment(
            account=os.getenv('AWS_ACCOUNT'),
            region=os.getenv('AWS_REGION')
        )

[rix0rrr]

I'm going to guess while running the app your environment looked like this:

AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_SESSION_TOKEN=...
AWS_ACCOUNT=2
AWS_REGION=us-east-2

You're probably intending to use os.getenv('CDK_DEFAULT_ACCOUNT') which translates to "the account you currently have credentials for"

[shivlaks]

@RenkeMeuwese - could you please follow up with the suggestions that @rix0rrr has outlined? I also suspect that this is because of your environment set-up. starting with cdk.out and taking a look at the manifest is a great starting point.

[RenkeMeuwese]

@rix0rrr : you're right, the cli tries to match the os environment with the account '2', which is a dummy account used in the creation of this test project. There is a local file, env.aws.development which is loaded which has this account in it. And indeed this fails.

However, in 1.19.0 this doesn't cause any failure, as cdk synth just doesn't look for full credentials. Using the cdk to create infrastructure as code in a predictable way, we want to continue to be able to produce cloudformation templates without having to provide full credentials every step of the way.

[RenkeMeuwese]

manifestcat.pdf

[RenkeMeuwese]

So after some team discussion we discovered that this behavior change comes from #5594. We were creating a NestedStack which looks for availability zones and needs the names of those zones. In 1.19.0 this value was not needed for cdk synth. Documentation on the functionality of cdk.context.json is desireable.