aws-cdk: [core] v1.60.0 no longer accepts --profile flag

I manage multiple AWS accounts and for each, I have a profile configured. In versions <1.60.0 of cdk, I could specify a profile using the --profile <profile-name>. For example if I wanted to use the diff command with the work profile, I would type:

yarn cdk --profile work diff

I am no longer able to do this on version 1.60.0.

Reproduction Steps

Create a stack using v1.59.0 and deploy it
Update your version to v1.60.0 and attempt to run diff or deploy command on the same stack

What did you expect to happen?

Upgrading to v1.60.0 would not affect passing credentials.

What actually happened?

I now receive the error:

Need to perform AWS calls for account <number>, but no credentials have been configured.

Environment

CLI Version: 1.60.0
Framework Version: 1.60.0
Node.js Version: v10.22.0
OS : mac-os
Language (Version): TypeScript

Other

As a result of this, my team is stuck on v1.59.0

This is 🐛 Bug Report

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 3
Comments: 24 (10 by maintainers)

Commits related to this issue

fix(cli): AssumeRole profiles require a [default] profile (#10032) This works around a bug in the AWS SDK for JS that only surfaced when we switched to `AWS_STS_REGIONAL_ENDPOINTS=regional`, requiri... — committed to aws/aws-cdk by rix0rrr 4 years ago

Most upvoted comments

Hi…

It appears that there is a requirement for CDK to need to have a default profile even though i am not using it.

I added this

[profile default] region = ap-southeast-2 output = json

And it seems to work. SOmething has changed in 1.60 that has changed this.

mrpackethead on Aug 25, 2020

Some further research in diffing the -vvv output between patched (working) and unpatched (broken) versions yields the following:

$ diff output.working output.broken
105,108c105,118
< Looking up default account ID from STS
< [AWS sts 200 0.259s 0 retries] getCallerIdentity({})
< Default account ID: 887534651732
< Setting "CDK_DEFAULT_ACCOUNT" environment variable to [REDACTED]
---
> Unable to determine the default AWS account: { ConfigError: Missing region in config
>     at Request.optInRegionalEndpoint (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/services/sts.js:75:30)
>     at Request.callListeners (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
>     at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
>     at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:688:14)
>     at Request.transition (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
>     at AcceptorStateMachine.runTo (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
>     at Request.runTo (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:408:15)
>     at Request.send (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:372:10)
>     at features.constructor.makeRequest (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/service.js:205:27)
>     at features.constructor.svc.(anonymous function) [as assumeRole] (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/service.js:677:23)
>   message: 'Missing region in config',
>   code: 'ConfigError',
>   time: 2020-08-26T02:27:18.616Z }
133d142
<   CDK_DEFAULT_ACCOUNT: '[REDACTED]',
---snip---
186,203c195,198
< [AWS cloudformation 200 1.042s 0 retries] describeStacks({ StackName: 'REDACTED' })
< [AWS cloudformation 200 2.847s 0 retries] getTemplate({ StackName: 'REDACTED',
<   TemplateStage: 'Original' })
< This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
< Please confirm you intend to make the following modifications:
<
---snip---
> Need to perform AWS calls for account [REDACTED], but no credentials have been configured.
> Error: Need to perform AWS calls for account [REDACTED], but no credentials have been configured.
>     at SdkProvider.obtainCredentials (/usr/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:237:11)
>     at process._tickCallback (internal/process/next_tick.js:68:7)

As a temporary workaround - if you define a region in your profile, it seems to work (and doesn’t seem to matter what region it is), eg ~/.aws/config:

[profile development]
role_arn = arn:aws:iam::XXXX:role/OrganizationAccountAccessRole
source_profile = default
region = us-east-1 ; Required workaround for https://github.com/aws/aws-cdk/issues/9937

fennb on Aug 26, 2020

I am also having this issue.

I can confirm that the commit/precise change that causes this is: https://github.com/aws/aws-cdk/pull/9835/files#diff-69984e5eb59d539989dd8dd4e0f3f0cfR18

If you patch CDK to disable AWS_STS_REGIONAL_ENDPOINTS = 'regional', then things work as per before.

fennb on Aug 26, 2020

@rix0rrr should we flag this as p0?

eladb on Aug 26, 2020

Thanks for figuring this out y’all!

rix0rrr on Aug 26, 2020