自 PR 起:https://github.com/aws/aws-cdk/pull/19454 并发布 v2.18.0 CDK 应该通过 AWS CLI v2 配置文件支持 SSO 凭证。
但是,无论我做什么,我都无法让它发挥作用。 我在 AWS CDK 问题部分创建了更新文档的请求,因为没有官方文档解释其在实践中如何运作,并且官方文档仍然表示不支持它并使用 yawsso:https://github .com/aws/aws-cdk/issues/21314
从经历了 4 年的旧线程到现在,我尝试了以下设置,但成功率为 0。 我的
.aws/config
文件(敏感值已编辑):
[profile DEV-NN-HSMX]
sso_start_url = https://my-company-url.awsapps.com/start#/
sso_region = eu-central-1
sso_account_name = MY-ACCOUNT
sso_account_id = MY-ACCOUNT-ID
sso_role_name = AdministratorAccess
region = eu-central-1
运行
aws sso login --profile "DEV-NN-HSMX"
按预期重定向我,我可以通过我的 SSO 提供商进行身份验证。aws sts get-caller-identity --profile "DEV-NN-HSMX"
按预期工作并确认我的 SSO 身份。aws s3 ls --profile "DEV-NN-HSMX"
按预期工作,并显示凭据具有访问权限。
但是当尝试运行任何 CDK 命令时。我根本无法让它发挥作用。
AWS CLI 版本:2.7.16
AWS CDK 版本:2.33.0
我尝试了以下所有内容的组合,无论是单独的、混合在所有组合中还是同时混合。
cdk deploy --profile "DEV-NN-HSMX"
导出
$AWS_PROFILE
和/或 $CDK_DEFAULT_PROFILE
环境变量:
cdk doctor
ℹ️ CDK Version: 2.33.0 (build 859272d)
ℹ️ AWS environment variables:
- AWS_CA_BUNDLE = /home/vscode/certs/cacert.pem
- AWS_PROFILE = DEV-NN-HSMX
- AWS_REGION = eu-central-1
- AWS_STS_REGIONAL_ENDPOINTS = regional
- AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
- AWS_SDK_LOAD_CONFIG = 1
ℹ️ CDK environment variables:
- CDK_DEFAULT_PROFILE = DEV-NN-HSMX
- CDK_DEFAULT_REGION = eu-central-1
我尝试过删除一个已删除的
.aws/credentials
文件以及一个空文件。aws\sso\cache
和 .aws\cli\cache
中的所有内容,以确保没有保留过期的凭据信息,然后使用 aws sso login --profile "DEV-NN-HSMX"
重新进行身份验证。
如果我使用
yawsso --profiles DEV-NN-HSMX
并在 .aws/credentials
中获取个人资料的临时凭证,则效果很好。
我已经能够使用凭证转换来引导和部署,没有出现任何问题。从连接、访问权限和引导程序的角度证明一切都按预期工作。
当使用上述任何 SSO 方法而不导出凭据时,我总是收到以下错误消息。
cdk deploy --profile "DEV-NN-HSMX"
✨ Synthesis time: 4.18s
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
以完整详细的方式运行命令会给出以下输出:
cdk deploy --trace --verbose --profile "DEV-NN-HSMX"
CDK toolkit version: 2.33.0 (build 859272d)
Command line arguments: {
_: [ 'deploy' ],
trace: true,
verbose: 1,
v: 1,
profile: 'DEV-NN-HSMX',
defaultProfile: 'DEV-NN-HSMX',
defaultRegion: 'eu-central-1',
lookups: true,
'ignore-errors': false,
ignoreErrors: false,
json: false,
j: false,
debug: false,
ec2creds: undefined,
i: undefined,
'version-reporting': undefined,
versionReporting: undefined,
'path-metadata': true,
pathMetadata: true,
'asset-metadata': true,
assetMetadata: true,
'role-arn': undefined,
r: undefined,
roleArn: undefined,
staging: true,
'no-color': false,
noColor: false,
ci: false,
all: false,
'build-exclude': [],
E: [],
buildExclude: [],
execute: true,
force: false,
f: false,
parameters: [ {} ],
'previous-parameters': true,
previousParameters: true,
logs: true,
'$0': '/home/vscode/.local/state/fnm_multishells/216_1658735050827/bin/cdk'
}
cdk.json: {
"app": "npx ts-node --prefer-ts-exts bin/cdk-demo.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"@aws-cdk/core:stackRelativeExports": true,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"@aws-cdk/aws-lambda:recognizeVersionProps": true,
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
]
}
}
merged settings: {
versionReporting: true,
pathMetadata: true,
output: 'cdk.out',
app: 'npx ts-node --prefer-ts-exts bin/cdk-demo.ts',
watch: {
include: [ '**' ],
exclude: [
'README.md',
'cdk*.json',
'**/*.d.ts',
'**/*.js',
'tsconfig.json',
'package*.json',
'yarn.lock',
'node_modules',
'test'
]
},
context: {
'@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
'@aws-cdk/core:stackRelativeExports': true,
'@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
'@aws-cdk/aws-lambda:recognizeVersionProps': true,
'@aws-cdk/aws-lambda:recognizeLayerVersion': true,
'@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/core:checkSecretUsage': true,
'@aws-cdk/aws-iam:minimizePolicies': true,
'@aws-cdk/core:validateSnapshotRemovalPolicy': true,
'@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
'@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
'@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ]
},
debug: false,
assetMetadata: true,
profile: 'DEV-NN-HSMX',
toolkitBucket: {},
staging: true,
bundlingStacks: [ '*' ],
lookups: true
}
Using CA bundle path: /home/vscode/certs/cacert.pem
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to eu-central-1
Resolving default credentials
Could not refresh notices: Error: unable to get local issuer certificate
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile DEV-NN-HSMX did not include credential process
at ProcessCredentials2.load (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/process_credentials.js:102:11)
at ProcessCredentials2.coalesceRefresh (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:205:12)
at ProcessCredentials2.refresh (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
at ProcessCredentials2.get2 [as get] (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:122:12)
at resolveNext2 (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:124:23
at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:212:15
at processTicksAndRejections (node:internal/process/task_queues:78:11) {
code: 'ProcessCredentialsProviderFailure',
time: 2022-07-25T15:01:41.645Z
}
context: {
'@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
'@aws-cdk/core:stackRelativeExports': true,
'@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
'@aws-cdk/aws-lambda:recognizeVersionProps': true,
'@aws-cdk/aws-lambda:recognizeLayerVersion': true,
'@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
'@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
'@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
'@aws-cdk/core:checkSecretUsage': true,
'@aws-cdk/aws-iam:minimizePolicies': true,
'@aws-cdk/core:validateSnapshotRemovalPolicy': true,
'@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
'@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
'@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
'@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
'aws:cdk:enable-path-metadata': true,
'aws:cdk:enable-asset-metadata': true,
'aws:cdk:version-reporting': true,
'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
CDK_DEFAULT_REGION: 'eu-central-1',
CDK_CONTEXT_JSON: '{"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:stackRelativeExports":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-lambda:recognizeVersionProps":true,"@aws-cdk/aws-lambda:recognizeLayerVersion":true,"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021":true,"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver":true,"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName":true,"@aws-cdk/core:checkSecretUsage":true,"@aws-cdk/aws-iam:minimizePolicies":true,"@aws-cdk/core:validateSnapshotRemovalPolicy":true,"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName":true,"@aws-cdk/aws-s3:createDefaultLoggingPolicy":true,"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption":true,"@aws-cdk/core:target-partitions":["aws","aws-cn"],"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
CDK_OUTDIR: 'cdk.out',
CDK_CLI_ASM_VERSION: '20.0.0',
CDK_CLI_VERSION: '2.33.0'
}
✨ Synthesis time: 4.54s
Reading existing template for stack CdkDemoStack.
Reading cached notices from /home/vscode/.cdk/cache/notices.json
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
Error: Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
at SdkProvider.resolveEnvironment (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:238:13)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at CloudFormationDeployments.prepareSdkFor (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:432:33)
我确实注意到输出中的 ProcessCredentialsProviderFailure,但这对于如何解决它并没有提供太多信息。 有人有任何想法或意见吗?
不可知堆栈(不将环境信息直接放入堆栈代码中)似乎不适用于新的 SSO 集成。
将环境信息添加到堆栈代码中即可使其工作:
const app = new cdk.App();
new CdkDemoStack(app, 'CdkDemoStack', {
env: { account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
},
});
我在这里遇到了同样的问题几周。对我来说,不同之处在于我的
cdk doctor
命令看起来是这样的:
▶ cdk doctor
ℹ️ CDK Version: 2.99.1 (build b2a895e)
ℹ️ AWS environment variables:
- AWS_CONFIG_FILE = ~/.aws/config
- AWS_STS_REGIONAL_ENDPOINTS = regional
- AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
ℹ️ No CDK environment variables
与 AWS 支持人员合作后,我能够通过更改 AWS 环境变量来实现此功能,这样我的新
cdk doctor
结果是:
▶ cdk doctor
ℹ️ CDK Version: 2.99.1 (build b2a895e)
ℹ️ AWS environment variables:
- AWS_STS_REGIONAL_ENDPOINTS = regional
- AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
- AWS_SDK_LOAD_CONFIG = 1
ℹ️ No CDK environment variables
看起来您拥有所有需要的环境变量,但也许您的其他变量之一妨碍了。例如,我必须删除
AWS_CONFIG_FILE
环境变量。不能保证它会起作用,但值得一试。