aws-cdk: cli: CDK does not seem to be compatible with config generated from `aws configure sso`

Describe the bug

When setting up a project from scratch with SSO credentials, CDK fails to authorize.

The steps I’m following are as follows:

  1. Configure my credentials using aws configure sso
  2. aws sso login --profile my-org-dev
  3. I set the account and region in bin/{stack}.ts
  4. AWS_PROFILE=my-org-dev cdk deploy

I receive the following error message:

$ AWS_PROFILE=my-org-dev cdk deploy

# Output:
# ✨  Synthesis time: 3.42s
#
#
# ❌ Deployment failed: Error: Need to perform AWS calls for account 123456789012, but no credentials have been configured

Expected Behavior

I expect CDK to be compatible with credentials generated with aws configure sso and aws sso login.

Current Behavior

When deploying, I get the following output:

$ AWS_PROFILE=my-org-dev cdk deploy -vvv

# Output:
# [18:26:42] CDK toolkit version: 2.97.0 (build d7cf3be)
# [18:26:42] Command line arguments: {
#   _: [ 'deploy' ],
#   v: 3,
#   verbose: 3,
#   lookups: true,
#   'ignore-errors': false,
#   ignoreErrors: false,
#   json: false,
#   j: false,
#   debug: false,
#   ec2creds: undefined,
#   i: undefined,
#   'version-reporting': undefined,
#   versionReporting: undefined,
#   'path-metadata': undefined,
#   pathMetadata: undefined,
#   'asset-metadata': undefined,
#   assetMetadata: undefined,
#   'role-arn': undefined,
#   r: undefined,
#   roleArn: undefined,
#   staging: true,
#   'no-color': false,
#   noColor: false,
#   ci: false,
#   all: false,
#   'build-exclude': [],
#   E: [],
#   buildExclude: [],
#   force: false,
#   f: false,
#   parameters: [ {} ],
#   'previous-parameters': true,
#   previousParameters: true,
#   logs: true,
#   concurrency: 1,
#   'asset-prebuild': true,
#   assetPrebuild: true,
#   '$0': '/Users/buggs/node/n/bin/cdk'
# }
# [18:26:42] cdk.json: {
#   "app": "npx ts-node --prefer-ts-exts bin/tmp.3f08_ww_ph.ts",
#   "watch": {
#     "include": [
#       "**"
#     ],
#     "exclude": [
#       "README.md",
#       "cdk*.json",
#       "**/*.d.ts",
#       "**/*.js",
#       "tsconfig.json",
#       "package*.json",
#       "yarn.lock",
#       "node_modules",
#       "test"
#     ]
#   },
#   "context": {
#     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
#     "@aws-cdk/core:checkSecretUsage": true,
#     "@aws-cdk/core:target-partitions": [
#       "aws",
#       "aws-cn"
#     ],
#     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
#     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
#     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
#     "@aws-cdk/aws-iam:minimizePolicies": true,
#     "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
#     "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
#     "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
#     "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
#     "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
#     "@aws-cdk/core:enablePartitionLiterals": true,
#     "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
#     "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
#     "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
#     "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
#     "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
#     "@aws-cdk/aws-route53-patters:useCertificate": true,
#     "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
#     "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
#     "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
#     "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
#     "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
#     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
#     "@aws-cdk/aws-redshift:columnId": true,
#     "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
#     "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
#     "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
#     "@aws-cdk/aws-kms:aliasNameRef": true,
#     "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
#     "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
#     "@aws-cdk/aws-efs:denyAnonymousAccess": true,
#     "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
#     "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
#     "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
#     "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
#     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true
#   }
# }
# [18:26:42] merged settings: {
#   versionReporting: true,
#   assetMetadata: true,
#   pathMetadata: true,
#   output: 'cdk.out',
#   app: 'npx ts-node --prefer-ts-exts bin/tmp.3f08_ww_ph.ts',
#   watch: {
#     include: [ '**' ],
#     exclude: [
#       'README.md',
#       'cdk*.json',
#       '**/*.d.ts',
#       '**/*.js',
#       'tsconfig.json',
#       'package*.json',
#       'yarn.lock',
#       'node_modules',
#       'test'
#     ]
#   },
#   context: {
#     '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
#     '@aws-cdk/core:checkSecretUsage': true,
#     '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
#     '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
#     '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
#     '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
#     '@aws-cdk/aws-iam:minimizePolicies': true,
#     '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
#     '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
#     '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
#     '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
#     '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
#     '@aws-cdk/core:enablePartitionLiterals': true,
#     '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
#     '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
#     '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
#     '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
#     '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
#     '@aws-cdk/aws-route53-patters:useCertificate': true,
#     '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
#     '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
#     '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
#     '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
#     '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
#     '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
#     '@aws-cdk/aws-redshift:columnId': true,
#     '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
#     '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
#     '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
#     '@aws-cdk/aws-kms:aliasNameRef': true,
#     '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
#     '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
#     '@aws-cdk/aws-efs:denyAnonymousAccess': true,
#     '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
#     '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
#     '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
#     '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
#     '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true
#   },
#   debug: false,
#   toolkitBucket: {},
#   staging: true,
#   bundlingStacks: [ '**' ],
#   lookups: true,
#   assetPrebuild: true
# }
# [18:26:42] [trace] SdkProvider#withAwsCliCompatibleDefaults()
# [18:26:42] Determining if we're on an EC2 instance.
# [18:26:42] Does not look like an EC2 instance.
# [18:26:42] Reading cached notices from /Users/buggs/.cdk/cache/notices.json
# [18:26:42] Toolkit stack: CDKToolkit
# [18:26:42] Setting "CDK_DEFAULT_REGION" environment variable to eu-north-1
# [18:26:42] [trace] SdkProvider#defaultAccount()
# [18:26:42] [trace]   SdkProvider#defaultCredentials()
# [18:26:42] Resolving default credentials
# [18:26:42] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile my-org-dev did not include credential process
# [18:26:42] context: {
#   '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
#   '@aws-cdk/core:checkSecretUsage': true,
#   '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
#   '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
#   '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
#   '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': true,
#   '@aws-cdk/aws-iam:minimizePolicies': true,
#   '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
#   '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
#   '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
#   '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
#   '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
#   '@aws-cdk/core:enablePartitionLiterals': true,
#   '@aws-cdk/aws-events:eventsTargetQueueSameAccount': true,
#   '@aws-cdk/aws-iam:standardizedServicePrincipals': true,
#   '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': true,
#   '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': true,
#   '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': true,
#   '@aws-cdk/aws-route53-patters:useCertificate': true,
#   '@aws-cdk/customresources:installLatestAwsSdkDefault': false,
#   '@aws-cdk/aws-rds:databaseProxyUniqueResourceName': true,
#   '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup': true,
#   '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId': true,
#   '@aws-cdk/aws-ec2:launchTemplateDefaultUserData': true,
#   '@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments': true,
#   '@aws-cdk/aws-redshift:columnId': true,
#   '@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2': true,
#   '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup': true,
#   '@aws-cdk/aws-apigateway:requestValidatorUniqueId': true,
#   '@aws-cdk/aws-kms:aliasNameRef': true,
#   '@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig': true,
#   '@aws-cdk/core:includePrefixInUniqueNameGeneration': true,
#   '@aws-cdk/aws-efs:denyAnonymousAccess': true,
#   '@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby': true,
#   '@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion': true,
#   '@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId': true,
#   '@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters': true,
#   '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier': true,
#   'aws:cdk:enable-path-metadata': true,
#   'aws:cdk:enable-asset-metadata': true,
#   'aws:cdk:version-reporting': true,
#   'aws:cdk:bundling-stacks': [ '**' ]
# }
# [18:26:42] outdir: cdk.out
# [18:26:42] env: {
#   CDK_DEFAULT_REGION: 'eu-north-1',
#   CDK_OUTDIR: 'cdk.out',
#   CDK_CLI_ASM_VERSION: '34.0.0',
#   CDK_CLI_VERSION: '2.97.0'
# }
# 
# ✨  Synthesis time: 2.13s
# 
# [18:26:44] Checking for previously published assets
# [18:26:44] [trace] SdkProvider#resolveEnvironment()
# [18:26:44] [trace] SdkProvider#baseCredentialsPartition()
# [18:26:44] [trace]   SdkProvider#resolveEnvironment()
# [18:26:44] [trace]   SdkProvider#obtainBaseCredentials()
# [18:26:44] [trace]     SdkProvider#defaultAccount()
# [18:26:44] [trace] SdkProvider#forEnvironment()
# [18:26:44] [trace]   SdkProvider#resolveEnvironment()
# [18:26:44] [trace]   SdkProvider#obtainBaseCredentials()
# [18:26:44] [trace]     SdkProvider#defaultAccount()
# 
#  ❌ Deployment failed: Error: Need to perform AWS calls for account 123456789012, but no credentials have been configured
#     at SdkProvider.forEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:367:13075)
#     at async Deployments.cachedSdkForEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:12383)
#     at async Deployments.prepareSdkFor (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:7949)
#     at async Deployments.isSingleAssetPublished (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:11602)
#     at async /Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:165302
# [18:26:44] Reading cached notices from /Users/buggs/.cdk/cache/notices.json
# 
# Need to perform AWS calls for account 123456789012, but no credentials have been configured
# [18:26:44] Error: Need to perform AWS calls for account 123456789012, but no credentials have been configured
#     at SdkProvider.forEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:367:13075)
#     at async Deployments.cachedSdkForEnvironment (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:12383)
#     at async Deployments.prepareSdkFor (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:7949)
#     at async Deployments.isSingleAssetPublished (/Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:11602)
#     at async /Users/buggs/node/n/lib/node_modules/aws-cdk/lib/index.js:457:165302

Getting my current session details:

$ AWS_PROFILE=cdk-error-demo aws sts get-caller-identity --output yaml

# Output:
# Account: '123456789012'
# Arn: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyRoleNameWith_alongrandomsuffix/buggs@iterate.no
# UserId: ANACCESSKEYIDORSECRETNEVERTHELESSREDACTED:buggs@iterate.no

This is what my AWS_CONFIG_FILE looks like:

[profile my-org-dev]
sso_session = Admin in My Org
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = eu-north-1
[sso-session 'Admin in My Org']
sso_start_url = https://acme.awsapps.com/start#
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

Reproduction Steps

  1. I install aws-cdk and check the version:

    $ cdk --version

# Output:
# 2.97.0 (build d7cf3be)

  2. I back up my AWS_CONFIG_FILE and delete the existing file:

    if test -n "$AWS_CONFIG_FILE" -a -f "$AWS_CONFIG_FILE"
  cp "$AWS_CONFIG_FILE" "$AWS_CONFIG_FILE.$(date +%s).bak"; and rm "$AWS_CONFIG_FILE"
end
if test -f "$HOME/.aws/config"
  cp "$HOME/.aws/config" "$HOME/.aws/config.$(date +%s).bak"; and rm "$HOME/.aws/config"
end
test ! -f "$HOME/.aws/config" -a ! -f "$AWS_CONFIG_FILE"; or echo "Files still present, abort!";

  3. I go to the SSO start URL for my organization, https://acme.awsapps.com/start. Under the account I want to use, I click Command line or programmatic access, where I read the following instructions:

    configure the AWS CLI to retrieve them automatically using the aws configure sso command

  4. In my shell, I configure the AWS CLI using aws configure sso:

    $ aws configure sso --profile my-org-dev

# Output (interactive):
# SSO session name (Recommended): Admin in My Org
# SSO start URL [None]: https://acme.awsapps.com/start#
# SSO region [None]: eu-central-1
# SSO registration scopes [sso:account:access]:
# Attempting to automatically open the SSO authorization page in your default browser.
# If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
#
# https://device.sso.eu-central-1.amazonaws.com/
#
# Then enter the code:
#
# BRDX-HVMG
# There are 5 AWS accounts available to you.
# Using the account ID 123412341234
# The only role available to you is: AdministratorAccess
# Using the role name "AdministratorAccess"
# CLI default client Region [None]: eu-north-1
# CLI default output format [None]:
#
# To use this profile, specify the profile name using --profile, as shown:
#
# aws s3 ls --profile my-org-dev

  5. In my shell, I verify that I have a valid session:

    $ AWS_PROFILE=my-org-dev aws sts get-caller-identity --output yaml

# Output:
# Account: '048445190004'
# Arn: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_alongrandomsuffix/buggs@iterate.no
# UserId: ANACCESSKEYIDORSECRETNEVERTHELESSREDACTED:buggs@iterate.no

$ AWS_PROFILE=my-org-dev aws cloudformation list-stacks --query StackSummaries

# (This is successful, this role has administrative privileges).

  6. I initialize a CDK project in a new directory:

    $ AWS_PROFILE=my-org-dev cd (mktemp -d); and cdk init app --language=typescript

# Output (partial):
# # ...
# ✅ All done!

  7. I attempt to deploy the stack, which fails because CDK cannot determine which account to use:

    $ AWS_PROFILE=my-org-dev cdk deploy

# Output:
# ✨  Synthesis time: 2.38s
# 
# 
#  ❌ Deployment failed: Error: Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

  8. I follow the instructions in bin/{the application name}.ts, as indicated in the output from the failing cdk deploy, and add:

    env: { account: '123456789012', region: 'eu-north-1' },

  9. I attempt to deploy the stack, which fails because CDK cannot find the credentials:

    $ AWS_PROFILE=my-org-dev cdk deploy

# Output:
# ✨  Synthesis time: 2.2s
# 
# 
#  ❌ Deployment failed: Error: Need to perform AWS calls for account 048445190004, but no credentials have been configured

If I remove the sso-session block and move some settings up to the my-org-dev profile, I am able to deploy:

  1. I make the following changes to my $AWS_CONFIG_FILE:
    --- /Users/buggs/.aws/config.old	2023-09-24 18:15:43
+++ /Users/buggs/.aws/config	2023-09-24 18:15:57
@@ -1,9 +1,6 @@
 [profile my-org-dev]
-sso_session = Admin in My Org
 sso_account_id = 123412341234
 sso_role_name = AdministratorAccess
 region = eu-north-1
-[sso-session 'Admin in My Org']
 sso_start_url = https://acme.awsapps.com/start#
 sso_region = eu-central-1
-sso_registration_scopes = sso:account:access
  2. I attempt to deploy the stack, which now succeeds:
    AWS_PROFILE=my-org-dev cdk deploy

# Output (partial):
# (...)
# ✅  Tmp3F08WwPhStack
# (...)
# ✨  Total time: 15.91s

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.97.0 (build d7cf3be)

Framework Version

No response

Node.js Version

18.14.0

OS

macOS 13.4 (22F66)

Language

Typescript

Language Version

~5.2.2

Other information

Similar issues

This seems to be somewhat related to a couple of other issues.

  • #25870 has the same “credential process” issue, but is not related to SSO
  • #23520 has the exact same issue. Following the instructions from https://github.com/aws/aws-cdk/issues/23520#issuecomment-1369308510 does not give the same results (aws --profile my-org-dev sts get-caller-identity succeeds, but npx cdk diff --profile my-org-dev fails like above). As far as I can tell, my $AWS_CONFIG_FILE has the same properties.
  • #20935 has recent comments from people experiencing similar issues
  • #24744 has similar issues with resolving the account ID for SSO credentials

About this issue

  • Original URL
  • State: open
  • Created 9 months ago
  • Reactions: 6
  • Comments: 15 (3 by maintainers)

Most upvoted comments

To add another data point: I’m also using aws sso login, and I will randomly get that error with CDK commands every now and then, but I can immediately run the same command again (cdk deploy) and it will work, so my SSO session was still valid.

Sounds like a bug in the CLI that sometimes randomly fails to return SSO credentials to CDK.

+3
DanielLaberge on Jan 25, 2024

Just want to say thank you, after a long struggle with why --profile XXXX did not work I found your issue just in time. Removing the sso-session block and sso_session params from my configs did resolve it and now I can deploy my multi account pipeline.

Further notes on the topic which may be helpful, I do not have any [default] block in my .aws/config file and no blocks at all in my .aws/credentials file.

Additionally I found out that if I use the flag --profile with npm run cdk synth --profile xxx it does not work at all (it may get eaten by npm ?). If you need to use npm run you need to set the above mentioned AWS_PROFILE otherwise if you use a global installed cdk you can use the --profile flag.

+2
HannesOberreiter on Sep 25, 2023

After much messing about, I found out that I could get it to work by removing any spaces in my sso-session name and removing the single quotes around the sso-session name (not certain if this was necessary or not)

So

[profile my-org-dev]
sso_session = Admin in My Org
...
[sso-session 'Admin in My Org']
...

Could be changed to:

[profile my-org-dev]
sso_session = Admin-in-My-Org
...
[sso-session Admin-in-My-Org]
...

Seems like other config readers have run into this too (ruby, go). If I’m following the code right here the correct fix would need to be in https://github.com/smithy-lang/smithy-typescript. Though it seems like the aws cli is actually generating configuration that violates the spec. It should probably prevent using sso session names with spaces in them.

You can use letters, numbers, hyphens ( - ), and underscores ( _ ), but no spaces.

+1
dvrax on Mar 19, 2024

Sounds like a bug in the CLI

The CLI does not provide credentials to the CDK, not directly. Running aws sso login gets an Identity Center token and caches it on the file system. The AWS SDKs load that token and exchange it for IAM credentials. If the CLI works after using aws sso login, e.g. aws sts get-caller-identity, the CLI has correctly cached the token. Any further issues would be in the CDK or its dependencies.

The issue is probably somewhere in the JavaScript SDK. As I understand it, different parts of the CDK use v2 and v3 of the JS SDK, and Identity Center support in v2 was very late in coming, so I wouldn’t be surprised if it also has issues with the change to session-based profiles and refresh tokens. Potentially this: https://github.com/aws/aws-sdk-js/issues/4441

+1
benkehoe on Jan 26, 2024

There’s a chance this old issue is related: https://github.com/aws/aws-cdk/issues/24744

+1
astef on Nov 15, 2023

same issues for me, please fix. Workaround indeed to change profile name to other than default

Clarifying that this is not the issue I’ve raised here, nor the fix for it - this issue seems to be that CDK does not understand the SSO session field.

The “workaround” seems to be to not enter anything when prompted for

SSO session name (Recommended):

while running aws configure sso, which sets up SSO in “legacy” mode, which works fine.

+1
marcusirgens on Oct 1, 2023
Read more comments on GitHub
← aws-cdk: (cli): cdk deploy "fail: socket hang up" error on Big Sur w/ AnyConnect
aws-cdk: (cli): CDK Pipeline in account bootstrapped with 1.110.0 (bootstrap version 7): S3 Access Denied →