Aws-cdk: CDK 1.20 Unable to determine the default AWS account

we are experiencing the same regression, but in a different use-case. We are using EC2 instance with attached role and no any AWS profiles / credentials. With 1.18 everything works, upgrading to 1.20 brings an error:

Looks like EC2 instance.
Unable to determine AWS region from environment or AWS configuration (profile: "default")
Setting "CDK_DEFAULT_REGION" environment variable to undefined
Resolving default credentials
Looking up default account ID from STS
Unable to determine AWS region from environment or AWS configuration (profile: "default")
Unable to determine the default AWS account (did you configure "aws configure"?): { 500: handshakefailed
    at Request.extractError (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
  message: 'handshakefailed',
  code: 500,
  time: 2020-01-12T15:31:54.406Z,
  requestId: undefined,
  statusCode: 500,
  retryable: true }
Setting "CDK_DEFAULT_ACCOUNT" environment variable to undefined
context: { 'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true }
outdir: cdk.out
env: { CDK_DEFAULT_REGION: undefined,
  CDK_DEFAULT_ACCOUNT: undefined,
  CDK_CONTEXT_JSON:
   '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.20.0' }

Hi!
I tried recreating it with 1.20 but couldn't
Could you share the code?

We are having the same problem. The following used to work with 1.18.0 but no longer does with 1.20.0.

#######
config
#######
[default]
region = eu-west-2

[profile [redacted]]
region = eu-west-2
role_arn = [redacted]
mfa_serial = [redacted]
source_profile = default

###########
credentials
###########
[default]
aws_access_key_id = [redacted]
aws_secret_access_key = [redacted]


######################################################################
Powershell script to set environment variables (SetAwsCredentials.ps1)
######################################################################
if (Test-Path 'env:AWS_ACCESS_KEY_ID') { 
  Remove-Item Env:AWS_ACCESS_KEY_ID
}
if (Test-Path 'env:AWS_SECRET_ACCESS_KEY') {
  Remove-Item Env:AWS_SECRET_ACCESS_KEY
}
if (Test-Path 'env:AWS_SESSION_TOKEN') {
  Remove-Item Env:AWS_SESSION_TOKEN
}
aws s3api list-buckets --query "Buckets[].Name" | out-null
$json = gci ~/.aws/cli/cache/ | sort LastWriteTime | select -last 1 | Get-Content |  ConvertFrom-Json
$env:AWS_ACCESS_KEY_ID = ($json | Select -ExpandProperty "Credentials"| Select -ExpandProperty "AccessKeyId")
$env:AWS_SECRET_ACCESS_KEY = ($json | Select -ExpandProperty "Credentials"| Select -ExpandProperty "SecretAccessKey")
$env:AWS_SESSION_TOKEN = ($json | Select -ExpandProperty "Credentials"| Select -ExpandProperty "SessionToken")

###################
Powershell comands:
###################
$env:AWS_PROFILE="[redacted]"
..\..\..\..\SetAwsCredentials.ps1
cdk deploy project-dev --profile [redacted] --proxy http://[redacted]:8080 --verbose true --context=ENVIRONMENT=dev

@mo-matt-p are you on an EC2 instance?

@ilkomiliev is using an EC2 instance. Wonder if that's the issue.

If the problem was an upgrade to aws-sdk, since the version string contains a ^:

    "aws-sdk": "^2.601.0",

The problem should NOT go when you install [email protected]. Can anyone confirm?

1.19.0 was released at the time [email protected] was current. Since then not a whole lot of ineteresting commits: https://github.com/aws/aws-sdk-js/commits/master

This change looks more suspicious to me: https://github.com/aws/aws-cdk/commit/ac748c1786e68774f5d0ea9cfbec439034166c40

@mo-matt-p @ilkomiliev @sheridansmall we are working on reproduction and are having some trouble. In the meantime, you can try something for us and report back if that helps your situation.

https://github.com/aws/aws-cdk/commit/ac748c1786e68774f5d0ea9cfbec439034166c40#diff-141bf52cac9079e1dc3291f7624d61bfR99

This function is async and is being called without await. If you patch your local JS file in the CDK with the await keyword does that solve the issue?

also, are any of you using a proxy. That may be why we aren't able to reproduce yet.

also, are any of you using a proxy. That may be why we aren't able to reproduce yet.

@MrArnoldPalmer I am behind a proxy, yes. Not on an EC2. I will try out your patch tomorrow. Thanks.

I am still unable to reproduce this after trying a number of things. If someone could help provide minimal reproduction code that could help. I'm running the following within a new cdk app to try and reproduce the conditions in a container, but the cli is still resolving default account and credentials as expected.

content=$(aws sts get-session-token)
session_token=$(echo $content | jq -r '.Credentials.SessionToken')
access_key_id=$(echo $content | jq -r '.Credentials.AccessKeyId')
secret_access_key=$(echo $content | jq -r '.Credentials.SecretAccessKey')

docker run \
  -e "AWS_SESSION_TOKEN=${session_token}" \
  -e "AWS_ACCESS_KEY_ID=${access_key_id}" \
  -e "AWS_SECRET_ACCESS_KEY=${secret_access_key}" \
  -e "AWS_DEFAULT_REGION=us-east-1" \
  -v $PWD:/usr/src/app -w /usr/src/app \
  node:12 npm run cdk -- -v synth

we are also behind proxy. Additionally, we are using self-signed certificates on it (corporate setup), but this hasn't been changed since it worked. The SSL handling was also setup correctly to trust our certificates. To reproduce, I've just created a new application from the CLI, set the env like this:

const ENV_EU_CENTRAL_1 = { account: EnvVars.ACCOUNT_ID, region: EnvVars.REGION_ID };

and calling the stack, passing this as an env parameter:

const app = new cdk.App(); new MyStack(app, "MyStack", { env: ENV_EU_CENTRAL_1 });

Hi @ilkomiliev,

Since we weren't able to reproduce would you be able to try the patch @MrArnoldPalmer suggested https://github.com/aws/aws-cdk/issues/5743#issuecomment-573807534?

@mo-matt-p, would you mind sharing your code and the full log?

Thanks for helping us debug it!

Yes we are using a proxy.
I'm sorry I don't understand where to put the await in the JS file could you elaborate?
But I have put some debug messages in and it fails in: lookupDefaultAccount() in sdk.js
On the line:
const result = await new AWS.STS({ credentials: creds, region: await this.region() }).getCallerIdentity().promise();
It seems to be OK until it gets to this code:
getCallerIdentity().promise()

I've also tried to patch it but I'm facing the same problem as @sheridansmall - this call is done in the constructor, so outside async function and await can't be used here

Yeah after investigating yesterday, I'm pretty confident its not a missing await. I added timeouts to try and coax out a repro of a race condition and couldn't.

@ilkomiliev @sheridansmall @mo-matt-p can you tell us a bit more about your proxy setups? We may have a regression related to #645

@MrArnoldPalmer ; not sure what kind of thing you need - I'm no expert in this area - stuff like this?

$ printenv |grep -i proxy
http_proxy=http://webproxy.xxxxxxxxx.xxx.xx:8080
ftp_proxy=http://webproxy.xxxxxxxxx.xxx.xx:8080
proxy_pac=http://webgate/proxy.pac
https_proxy=http://webproxy.xxxxxxxxx.xxx.xx:8080
no_proxy=.xxxx.xxx.xx

that does help, thanks!

My testing with a proxy is also working as expected. I'm running an http(s) proxy on my host machine and connecting to it from the docker container.

docker run \
  -e "AWS_SESSION_TOKEN=${session_token}" \
  -e "AWS_ACCESS_KEY_ID=${access_key_id}" \
  -e "AWS_SECRET_ACCESS_KEY=${secret_access_key}" \
  -e "AWS_DEFAULT_REGION=eu-west-2" \
  -e "https_proxy=http://host.docker.internal:8080" \
  -e "http_proxy=http://host.docker.internal:8080" \
  -v ~/dev/aws-cdk:/usr/src/aws-cdk \
  -v $PWD:/usr/src/app -w /usr/src/app \
  node:12 /usr/src/aws-cdk/packages/aws-cdk/bin/cdk -v synth

@mo-matt-p can you provide a code example for how you are starting your session with boto3 and setting those values to the environment? Is it also possible for you to run your code without the proxy to see if it still breaks?

@ilkomiliev I've tried manually passing the region and account number in the env with credentials under the 'default' aws sdk profile and that works as well.

The httpOptions.agent property is not set when using proxy:

    if (options.proxyAddress) { // Ignore empty string on purpose
      debug('Using proxy server: %s', options.proxyAddress);
      httpOptions.proxy = options.proxyAddress;
      // missing httpOptions.agent = require('proxy-agent')(options.proxyAddress);
    }
    if (options.caBundlePath) {
      debug('Using ca bundle path: %s', options.caBundlePath);
      httpOptions.agent = new https.Agent({ca: await readIfPossible(options.caBundlePath)});
    }

This was introduced in this commit

I was able to reproduce it, and it looks like setting the agent property seems to fix the issue.
From the compiled Javascripte code in the global node_module folder:
(../aws-cdk/lib/api/util/sdk.js)

if (options.proxyAddress) { // Ignore empty string on purpose
    logging_1.debug('Using proxy server: %s', options.proxyAddress);
    httpOptions.proxy = { agent: require('proxy-agent')(options.proxyAddress) };
}

@mo-matt-p & @ilkomiliev While I'm pushing the fix would you like to try patch your CLI version?

if this could help here the output from 1.18 and 1.20. I think that something is missing in the request sent to STS.

cdk deploy -v --dry-run
CDK toolkit version: 1.18.0 (build bc924bc)
Command line arguments: { _: [ 'deploy' ],
  v: true,
  verbose: true,
  'dry-run': true,
  dryRun: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  ci: false,
  execute: true,
  '$0': '/home/ec2-user/bin/cdk' }
Determining whether we're on an EC2 instance.
Using proxy server: http://xxx
cdk.json: {
  "app": "npx ts-node bin/myapp-app.ts"
}
Looks like EC2 instance.
cdk.context.json: {
  "@aws-cdk/core:enableStackNameDuplicates": "true"
}
merged settings: { versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node bin/myapp-app.ts',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true }
Unable to determine AWS region from environment or AWS configuration (profile: "default")
Setting "CDK_DEFAULT_REGION" environment variable to undefined
Resolving default credentials
Retrieved account ID xxxxxxxxxxxx from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to xxxxxxxxxxxx
context: { '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true }
outdir: cdk.out
env: { CDK_DEFAULT_REGION: undefined,
  CDK_DEFAULT_ACCOUNT: 'xxxxxxxxxxxx',
  CDK_CONTEXT_JSON:
   '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.18.0' }
Reading existing template for stack MyappAppStack.
Using default AWS SDK credentials for account xxxxxxxxxxxx
MyappAppStack: deploying...
Waiting for stack CDKToolkit to finish creating or updating...
Using default AWS SDK credentials for account xxxxxxxxxxxx
s3://xxx.yml: checking if already exists
s3://xxx.yml: uploading
s3://xxx.yml: upload complete
Stored template in S3 at: xxx
Attempting to create ChangeSet CDK-xxx to create stack MyappAppStack
MyappAppStack: creating CloudFormation changeset...
...
outpput deleted
...
Stack MyappAppStack is still not stable (CREATE_IN_PROGRESS (User Initiated))
 0/2 | 8:36:59 AM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata | CDKMetadata 
 0/2 | 8:37:00 AM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
 1/2 | 8:37:00 AM | CREATE_COMPLETE      | AWS::CDK::Metadata | CDKMetadata 
Stack MyappAppStack is still not stable (CREATE_IN_PROGRESS)
 2/2 | 8:37:02 AM | CREATE_COMPLETE      | AWS::CloudFormation::Stack | MyappAppStack 
Stack MyappAppStack has completed updating

 ✅  MyappAppStack

Stack ARN:
arn:aws:cloudformation:eu-central-1:xxxxxxxxxxxx:stack/xxx

npm install -g aws-cdk
npm WARN deprecated [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
/home/ec2-user/node-v10.16.3-linux-x64/bin/cdk -> /home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/bin/cdk
+ [email protected]
added 2 packages from 6 contributors, removed 57 packages and updated 12 packages in 15.549s
[ec2-user@ip-xxx myapp-app]$ cdk --version
1.20.0 (build 021c521)
[ec2-user@xxx myapp-app]$ cdk deploy -v --dry-run
CDK toolkit version: 1.20.0 (build 021c521)
Command line arguments: { _: [ 'deploy' ],
  v: true,
  verbose: true,
  'dry-run': true,
  dryRun: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  fail: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  ci: false,
  execute: true,
  '$0': '/home/ec2-user/bin/cdk' }
Determining whether we're on an EC2 instance.
Using proxy server: xxx
cdk.json: {
  "app": "npx ts-node bin/myapp-app.ts"
}
Looks like EC2 instance.
cdk.context.json: {
  "@aws-cdk/core:enableStackNameDuplicates": "true"
}
merged settings: { versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node bin/myapp-app.ts',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true }
Unable to determine AWS region from environment or AWS configuration (profile: "default")
Setting "CDK_DEFAULT_REGION" environment variable to undefined
Resolving default credentials
Retrieved account ID xxxxxxxxxxxx from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to xxxxxxxxxxxx
context: { '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true }
outdir: cdk.out
env: { CDK_DEFAULT_REGION: undefined,
  CDK_DEFAULT_ACCOUNT: 'xxxxxxxxxxxx',
  CDK_CONTEXT_JSON:
   '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.20.0' }
Reading existing template for stack MyappAppStack.
Using default AWS SDK credentials for account xxxxxxxxxxxx
handshakefailed
500: handshakefailed
    at Request.extractError (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/ec2-user/node-v10.16.3-linux-x64/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

The app has been generated with the cdk CLI and the only change is:

#!/usr/bin/env node
import "source-map-support/register";
import cdk = require("@aws-cdk/core");
import { MyappAppStack } from "../lib/myapp-app-stack";

const ENV_EU_CENTRAL_1 = { account: "xxxxxxxxxxxx", region: "eu-central-1" };

const app = new cdk.App();
new MyappAppStack(app, "MyappAppStack", {env: ENV_EU_CENTRAL_1});

Proxy settings are also nothing special:

env |grep -i proxy
NO_PROXY=localhost,127.0.0.1,169.254.169.254,169.254.170.2
http_proxy=http://XX.XX.XX.XX:57165
https_proxy=http://XX.XX.XX.XX:57165
HTTPS_PROXY=http://XX.XX.XX.XX:57165
no_proxy=localhost,127.0.0.1,169.254.169.254,169.254.170.2
HTTP_PROXY=http://XX.XX.XX.XX:57165

I don't think that we are experiencing connectivity problems - I think that 500 comes from the STS endpoint, so that we are able to reach it.

hope this helps

I think it's the 'http.agent' that missing, it was removed in the commit I mentioned.