Unexpected behavior of default environment (region/account)

[mindstorms6]

Hiya friends!

AWS IS SO SECURE 🔐

Tl;dr I have some creds in my env

> env | grep AWS
AWS_ACCESS_KEY_ID=nope
AWS_SECRET_ACCESS_KEY=nope
AWS_SESSION_TOKEN=nice try
┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-

And I'd love to use them:

┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-
└> ../aws-cdk-toolkit/bin/cdk -v bootstrap
Defaults: {  "app": "node index.js"}
Obtaining default region from AWS configuration
Setting "default-region" context to undefined
Looking up default account ID from STS
Setting "default-account" context to 532610000315
node index.js '{"type":"list","context":{"default-account":"532610000315"}}'
Stack name not specified, so defaulting to all available stacks: SWA
 ⏳  Bootstrapping environment 532610000315/us-west-1...
 ❌  Environment 532610000315/us-west-1 failed bootstrapping: Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
Error: Need to perform AWS calls for account 532610000315, but no credentials found. Tried: default credentials.
    at SDK.getCredentialProvider (/Users/breland/repos/aws-cdk/packages/aws-cdk-toolkit/lib/api/util/sdk.ts:124:15)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:160:7)
┌[breland☮Brelands-MacBook-Pro-2.local]-(~/repos/aws-cdk/packages/swa-test)-[git://dev-brelandm ✗]-

Is there some magic trick I need to use? The docs would indicate this should work... What am I missing?

[mindstorms6]

I fixed it by doing a horrifying thing

class Test implements CredentialProviderSource {
    public readonly name: string = "CustomCreds";

    public isAvailable() {
        return new Promise<boolean>((_resolve, _reject) => {
            _resolve(true);
        });
    }

    public canProvideCredentials(_accountId: string): Promise<boolean> {
        return new Promise((resolve, _reject) => {
                resolve(true);
            });
    }

    getProvider(_accountId: string, _mode: Mode): Promise<CredentialProviderChain> {
        return new Promise<CredentialProviderChain>((resolve, _reject) => {
            resolve(new CredentialProviderChain());
        });
    }
}

PluginHost.instance.registerCredentialProviderSource(new Test());
const app = new App(process.argv);

[mindstorms6]

Actually no, that didn't fix it :(

[mindstorms6]

I was able to aws configure with an IAM user and be ok. I cannot quite understand why env creds didn't work though :/

[rix0rrr]

That's funky. I use it with environment variables all the time.

[mindstorms6]

Hmmm. I'll clean some things up and try again but I tried valiantly and it was not happy

[rix0rrr]

This error could also be consistent with credentials for one particular account but default-account setting for a different one?

[mindstorms6]

Oh interesting - I thought i had those aligned - lemme check

[Doug-AWS]

When you guys get this working could you add a blurb in the readme on how to access an env var?

[rix0rrr]

Nobody needs to access env vars. People might need to set them, but I think there should be a limit to what we need to explain.

Do we also tell people how to start a Terminal window?

[eladb]

@Doug-AWS using environment variables for credentials should be transparent. However there is an order of precedence which is definitely something we should document well

[fulghum]

+1 for documenting credential loading precedence. Doug is right that it should be consistent with the other AWS development tools.

[eladb]

Let's work backwards from the desired behavior (without toolkit credentials plugins installed):

• If env is not specified when a stack is created, the account and region should be exactly like the aws cli would behave if --region was not specified, based on the default credentials chain as @Doug-AWS indicates.
• If only env.region is specified (no account), then the account should derive from the default credentials chain but region should be based on the region.
• If env.account is also specified, then region must also be defined (?) and then the toolkit should be defensive and fail if the default credentials chain didn't include credentials for that account.
• If there are no credentials configured in the default credentials chain, the toolkit should fail with an error "missing credentials", and link to https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html for instructions on how to configure credentials.

---

Now for some implementation-related issues. I think one of the reasons we keep seeing inconsistencies is because there were previously conflicting instructions on specifying the default-region and default-account contextual parameters in cdk.json (or ~/.cdk.json). These parameters superseded the normal behavior and things got messy.

Since we still need to relay the region/account in case they are not explicitly specified when a Stack is created, My recommendation is to deprecate default-account and default-region (error if they are specified) and use a different context argument to pass the default account/region from the toolkit. Perhaps something like cdk:toolkit:defaultenv=<ACCOUNT>/<REGION>. This argument should never be explicitly specified in cdk.json (maybe we can even add some defense that doesn't allow context that starts with "cdk:" to be specified by humans...).