Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CDK Pipelines] Changes are deployed and published using global STS endpoints #9223

Closed
justin8 opened this issue Jul 23, 2020 · 3 comments · Fixed by #9835
Closed

[CDK Pipelines] Changes are deployed and published using global STS endpoints #9223

justin8 opened this issue Jul 23, 2020 · 3 comments · Fixed by #9835
Assignees
@rix0rrr
Labels
@aws-cdk/pipelines CDK Pipelines library effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Milestone
[GA] CDK Pipelines

Comments

@justin8
Copy link
Contributor

justin8 commented Jul 23, 2020
edited
Loading

CDK Pipelines currently uses global STS endpoints to publish artifacts and also to deploy the self-mutating pipeline changes instead of the correct regional endpoints

Reproduction Steps

Create a CDK pipeline, using the demo example in the docs is fine. Check your CloudTrail logs and you can see v1 API calls to the us-east-1 endpoint for STS (auth tokens that start with an F) are going to be visible.

Error Log

Environment

  • CLI Version: 1.51.0
  • Framework Version: 1.51.0
  • Node.js Version: v12.13.1
  • OS: Mac
  • Language (Version): Typescript 3.8.3

Other

This is 🐛 Bug Report
@justin8 justin8 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 23, 2020
@github-actions github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Jul 23, 2020
@justin8 justin8 changed the title [CDK Pipelines] [CDK Pipelines] Changes are deployed and published using global STS endpoints Jul 23, 2020
@ericzbeard
Copy link
Contributor

I don't think this is a bug, since switching to regional endpoints is more of an optimization than a necessity.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

@ericzbeard ericzbeard added feature-request A feature should be added or improved. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 23, 2020
@justin8
Copy link
Contributor Author

justin8 commented Jul 23, 2020

It means we have created a single point of failure that is outside of the region a pipeline is configured to use as the “global” endpoint is dependent on us-east-1.

If CDK is supposed to have best practices as a default then this is a bug.

@ericzbeard ericzbeard added the p1 label Jul 23, 2020
@ericzbeard ericzbeard removed their assignment Aug 3, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 4, 2020

I agree. Thanks for the report.

@rix0rrr rix0rrr added the effort/small Small work item – less than a day of effort label Aug 4, 2020
@rix0rrr rix0rrr added this to the [CDK Pipelines] Soon milestone Aug 12, 2020
rix0rrr added a commit that referenced this issue Aug 19, 2020
@rix0rrr
fix(cli): CLI does not use regional endpoints
fec0659 
Make CLI and `cdk-assets` use regional endpoints by setting
`AWS_STS_REGIONAL_ENDPOINTS=regional`.

While we are configuring the SDK by setting global environment
variables anyway (*shudder*), might as well improve performance
a bit by enabling keepalive on the connections (by setting
`AWS_NODEJS_CONNECTION_REUSE_ENABLED=1`).

Fixes #9223.
@rix0rrr rix0rrr mentioned this issue Aug 19, 2020
Merged
@mergify mergify bot closed this as completed in #9835 Aug 19, 2020
mergify bot pushed a commit that referenced this issue Aug 19, 2020
@rix0rrr
fix(cli): CLI does not use regional endpoints (#9835)
34450b0 
Make CLI and `cdk-assets` use regional endpoints by setting
`AWS_STS_REGIONAL_ENDPOINTS=regional`.

While we are configuring the SDK by setting global environment
variables anyway (*shudder*), might as well improve performance
a bit by enabling keepalive on the connections (by setting
`AWS_NODEJS_CONNECTION_REUSE_ENABLED=1`).

Fixes #9223.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/pipelines CDK Pipelines library effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
[GA] CDK Pipelines
Development

Successfully merging a pull request may close this issue.

fix(cli): CLI does not use regional endpoints aws/aws-cdk
4 participants
@rix0rrr @ericzbeard @justin8 @njlynch