aws-cdk
aws-cdk copied to clipboard
aws
(core): Synth always fails if configured AWS creds are expired
Describe the bug
If I have AWS credentials in my .aws/credentials file that are expired, cdk synth will not work, regardless of whether it needs to perform API calls.
Expected Behavior
cdk synth works regardless of AWS credentials if no AWS API calls required
Current Behavior
Error on synth with expired AWS credentials:
The security token included in the request is expired
The same works fine if I have no configured AWS credentials at all.
Reproduction Steps
cdk init sample-app
Have expired credentials configured in ~/.aws/credentials
cdk synth - Error
rm ~/.aws/credentials
cdk synth - Succeeds
Possible Solution
No response
Additional Information/Context
The fact that synth works fine without any credentials at all confirms that this is a bug.
CDK CLI Version
2.41.0
Framework Version
No response
Node.js Version
18.9.0
OS
Linux
Language
Typescript, Python, .NET, Java, Go
Language Version
No response
Other information
No response
Hello,
I'd like to start by asking why do you have ephemeral credentials in ~/.aws/credentials?
Reference: https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html#getting_started_prerequisites
Alternatively, you can set the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION to appropriate values.
Sessions have their purpose, but if you're stuck editing the credentials file every 15 min (or 60 min or every other work day), perhaps a shift in way of working is in order?
Or am I missing something in the use case and you can walk me through your expectations based on it?
I use Leapp for SSO and that's how it handles ephemeral credentials. So at the start of each workday, I'm unable to synth until I refresh the credentials by logging in with Leapp, even for CDK apps where no API calls are needed.
@Naumel I went ahead and tested it with environment variables as well - the result is the same. cdk synth fails if the configured AWS credentials (be it via a file or env variables) are expired.
I saw you removed the bug label - surely this isn't expected behavior?
I'm sensitive to the argument that if unplugging your ethernet cable (heh) succeeds synth and not having credentials succeeds, having expired credentials should also succeed.
I wonder if this will cause unexpected behavior for users though, especially since they might expect to have credentials.
The failure (probably) occurs when we are looking up the current account ID, for setting the CDK_DEFAULT_ACCOUNT environment variable. If we anything but a "no credentials configured" error during that operation, we should probably log a warning and continue with unset CDK_DEFAULT_ACCOUNT.
Experiencing the same issue when credentials contain expired tokens. Issue started after updating aws-cdk version in our project. Seems that versions >=2.39.0 are experiencing this issue currently.
cdk synth succeeds after either removing the expired session_token from credentials or by renewing session
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}