Aws-cdk: [core] cdk deploy won't use AWS_WEB_IDENTITY_TOKEN_FILE

Created on 18 Nov 2020  ·  2Comments  ·  Source: aws/aws-cdk

Im trying to use cdk deploy inside eks kubernetes gitlab runners. But it won't work. Cdk allways trys to access the metadata service of the ec2 instance (what I disabled via iptables). And ignores the AWS_WEB_IDENTITY_TOKEN_FILE .

Reproduction Steps

Try to use cdk inside eks pods with IAM for Serviceaccounts

What did you expect to happen?

CDK should use the pod serviceaccount iam role - as it does on ecs

What actually happened?

mystack: deploying...
 Assuming role 'arn:aws:iam::123456:role/cdk-bootstrap-deploy'.
  ❌  mystack: Error [TimeoutError]: EC2 Metadata roleName request returned error
     at Timeout.connectTimeout [as _onTimeout] (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/node_modules/aws-sdk/lib/http/node.js:69:15)
     at listOnTimeout (internal/timers.js:554:17)
     at processTimers (internal/timers.js:497:7) {
   code: 'TimeoutError',

Environment

CDK: 1.74.0
ModernBootstrapping
Node.js Version: 12 or 14
CDK CLI Version: 1.74.0

My thoughts on this...

am i right, thtat the whole credential handling is starting here:
https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

and there is no option for eks?

const chain = await AwsCliCompatible.credentialChain({
      profile: options.profile,
      ec2instance: options.ec2creds,
      containerCreds: options.containerCreds,
      httpOptions: sdkOptions.httpOptions,
    });

further on, i can see, that containerCreds at the moment only relates to ECS

https://github.com/aws/aws-cdk/blob/98e9b5956b3bff6db1cee615cd0e14dcb50d4726/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L63

So here something like hasEksCreds should be implemented... my quick lookup at the aws sdk didn't offered such a method as u used for ecs ... as used here:

https://github.com/aws/aws-cdk/blob/98e9b5956b3bff6db1cee615cd0e14dcb50d4726/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L155

So my suggestion would be to implement our own test for both environment variables that will be set if you are running on eks:
AWS_ROLE_ARN
AWS_WEB_IDENTITY_TOKEN_FILE

ok .... starting to implement this

I may be able to implement this ... maybe :-/
I would like to know if this is the right direction ...

This is :bug: Bug Report

@aws-cdcore bug efforsmall in-progress p2
Source
picture markus7811
👍3

Most helpful comment

Ok, the fix is definitively working. As a workaround, until this issue is fixed, you can try my fix in your projects:

https://github.com/markus7811/aws-cdk-eks-patch

picture markus7811 on 22 Nov 2020
👍3

All 2 comments

Ok, the fix is definitively working. As a workaround, until this issue is fixed, you can try my fix in your projects:

https://github.com/markus7811/aws-cdk-eks-patch

markus7811 picture markus7811 on 22 Nov 2020
👍3

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] picture github-actions[bot] on 30 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pepastach picture pepastach  ·  3Comments
EduardTheThird picture EduardTheThird  ·  3Comments
Kent1 picture Kent1  ·  3Comments
NukaCody picture NukaCody  ·  3Comments
kawamoto picture kawamoto  ·  3Comments