Need to perform AWS calls for account <account-number>, but no credentials have been configured

[zhaojiew10]

Describe the bug

Error occur when run cdk bootstrap. Need to perform AWS calls for account , but no credentials have been configured

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166.0

Expected Behavior

bootstrap output

$ cdk --version
2.166.0 (build 7bb9203)

$ cdk bootstrap aws://xxxxxxxx/cn-north-1 --profile testcdkgroup --region cn-north-1
 ⏳  Bootstrapping environment aws://xxxxxxxxx/cn-north-1...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws-cn:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
CDKToolkit: creating CloudFormation changeset...

Current Behavior

bootstrap error

$ cdk bootstrap aws://xxxxxxxxx/cn-north-1 --profile testcdkgroup --region cn-north-1
 ⏳  Bootstrapping environment aws://xxxxxxxxx/cn-north-1...
(Use `node --trace-warnings ...` to show where the warning was created)
 ❌  Environment aws://xxxxxxxxx/cn-north-1 failed bootstrapping: Error: Need to perform AWS calls for account xxxxxxxxx, but no credentials have been configured
    at SdkProvider.forEnvironment (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:764:18100)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Function.lookup (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:614:8583)
    at async Bootstrapper.modernBootstrap (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:615:1084)
    at async /opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:821:1671
Need to perform AWS calls for account xxxxxxxxx, but no credentials have been configure

Reproduction Steps

$ cdk --version
2.167.0 (build 677e108)

when run bootstrap command meet following error

cdk bootstrap aws://xxxxxxxxx/cn-north-1 --profile testcdkgroup --region cn-north-1

the aws config is

[profile testcdkgroup]
role_arn       = arn:aws-cn:iam::xxxxxxxxx:role/rolename
source_profile = admin
region=cn-north-1

I could get credential

$ aws sts get-caller-identity --profile testcdkgroup --region cn-north-1
{
    "UserId": "AROAWN7K6YMQG3NB37S32:botocore-session-1733147811",
    "Account": "xxxxxxxxx",
    "Arn": "arn:aws-cn:sts::xxxxxxxxxx:assumed-role/rolename/botocore-session-1733147811"
}

bootstrap output

$ cdk bootstrap aws://xxxxxxxxx/cn-north-1 --profile testcdkgroup --region cn-north-1
 ⏳  Bootstrapping environment aws://xxxxxxxxx/cn-north-1...
(Use `node --trace-warnings ...` to show where the warning was created)
 ❌  Environment aws://xxxxxxxxx/cn-north-1 failed bootstrapping: Error: Need to perform AWS calls for account xxxxxxxxx, but no credentials have been configured
    at SdkProvider.forEnvironment (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:764:18100)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Function.lookup (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:614:8583)
    at async Bootstrapper.modernBootstrap (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:615:1084)
    at async /opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:821:1671
Need to perform AWS calls for account xxxxxxxxx, but no credentials have been configure

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.0+

Framework Version

No response

Node.js Version

Node.js 16.x

OS

amazonlinux 2

Language

TypeScript

Language Version

No response

Other information

No response

[zhaojiew10]

I capture tcpdump request during cdk bootstrap command. The output is

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:06.262164 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [S], seq 1915800606, win 62727, options [mss 8961,sackOK,TS val 3264941276 ecr 0,nop,wscale 7], length 0
14:18:06.494006 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [S.], seq 3188368014, ack 1915800607, win 8190, options [mss 1460,nop,wscale 6,nop,nop,sackOK], length 0
14:18:06.494066 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [.], ack 1, win 491, length 0
14:18:06.494873 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [P.], seq 1:382, ack 1, win 491, length 381
14:18:06.726602 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 1, win 980, length 0
14:18:06.727233 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 382, win 976, length 0

As you can see, the ip address of STS service requested is in us-east-1 region.

Apparently, it could not work in the China region. Please fix this issue, Thanks!

[khushail]

Hi @zhaojiew10 , looks like your issue is quite similar to this earlier reported issues -

• (credentials): (Need to perform AWS calls for account ..., but no credentials have been configured ) #32135
  CDK Team worked on this issue and provided a fix.
• ❗Notice: CDK CLI: "The security token included in the request is invalid" when using user credentials since 2.167.0 #32120
  Please review and respond back if the issue does/doesn't work you or if its different than the one mentioned.
  Thanks

[zhaojiew10]

Thanks for your response.

After checking the issue #32135 and #32120, I think this issue is different from them.

This issue happened for cdk version >= 2.167.0, even for the latest version 2.171.1 (build a95560c).

If I export the environment(AK, SK, SESSION_TOKEN) in the shell, cdk bootstrap works well.

And following is error output wuth -vvv.

$ cdk bootstrap aws://xxxxxxxx/cn-north-1 --profile testcdkgroup --region cn-north-1 -vvv
[02:08:26] CDK toolkit version: 2.171.1 (build a95560c)
[02:08:26] Command line arguments: {
  _: [ 'bootstrap' ],
  profile: 'testcdkgroup',
  region: 'cn-north-1',
  v: 3,
  verbose: 3,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': undefined,
  pathMetadata: undefined,
  'asset-metadata': undefined,
  assetMetadata: undefined,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  unstable: [],
  'bootstrap-bucket-name': undefined,
  b: undefined,
  'toolkit-bucket-name': undefined,
  toolkitBucketName: undefined,
  bootstrapBucketName: undefined,
  'bootstrap-kms-key-id': undefined,
  bootstrapKmsKeyId: undefined,
  'example-permissions-boundary': undefined,
  epb: undefined,
  examplePermissionsBoundary: undefined,
  'custom-permissions-boundary': undefined,
  cpb: undefined,
  customPermissionsBoundary: undefined,
  'bootstrap-customer-key': undefined,
  bootstrapCustomerKey: undefined,
  qualifier: undefined,
  'public-access-block-configuration': undefined,
  publicAccessBlockConfiguration: undefined,
  tags: [],
  t: [],
  execute: true,
  trust: [],
  'trust-for-lookup': [],
  trustForLookup: [],
  'cloudformation-execution-policies': [],
  cloudformationExecutionPolicies: [],
  force: false,
  f: false,
  'termination-protection': undefined,
  terminationProtection: undefined,
  'show-template': false,
  showTemplate: false,
  'previous-parameters': true,
  previousParameters: true,
  '$0': 'cdk',
  ENVIRONMENTS: [ 'aws://xxxxxxxx/cn-north-1' ],
  'E-n-v-i-r-o-n-m-e-n-t-s': [ 'aws://xxxxxxxx/cn-north-1' ]
}
[02:08:26] merged settings: {
  versionReporting: true,
  assetMetadata: true,
  pathMetadata: true,
  output: 'cdk.out',
  context: {},
  debug: false,
  profile: 'testcdkgroup',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [],
  lookups: true,
  hotswap: { ecs: {} },
  unstable: []
}
[02:08:26] Reading cached notices from /home/ec2-user/.cdk/cache/notices.json
[02:08:26] [trace] SdkProvider#withAwsCliCompatibleDefaults()
[02:08:26] Toolkit stack: CDKToolkit
 ⏳  Bootstrapping environment aws://xxxxxxxx/cn-north-1...
[02:08:26] [trace] SdkProvider#resolveEnvironment()
[02:08:26] [trace] SdkProvider#forEnvironment()
[02:08:26] [trace]   SdkProvider#resolveEnvironment()
[02:08:26] [trace]   SdkProvider#obtainBaseCredentials()
[02:08:26] [trace]     SdkProvider#defaultAccount()
[02:08:26] [trace]       SdkProvider#defaultCredentials()
[02:08:26] Resolving default credentials
(node:4005) Warning: NodeDeprecationWarning: The AWS SDK for JavaScript (v3) will
no longer support Node.js 16.x on January 6, 2025.

To continue receiving updates to AWS services, bug fixes, and security
updates please upgrade to a supported Node.js LTS version.

More information can be found at: https://a.co/74kJMmI
(Use `node --trace-warnings ...` to show where the warning was created)
[02:08:27] Unable to determine the default AWS account (InvalidClientTokenId): The security token included in the request is invalid.
 ❌  Environment aws://xxxxxxxx/cn-north-1 failed bootstrapping: Error: Need to perform AWS calls for account xxxxxxxx, but no credentials have been configured
    at SdkProvider.forEnvironment (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:764:18100)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Function.lookup (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:614:8583)
    at async Bootstrapper.modernBootstrap (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:615:1084)
    at async /opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:821:1671
[02:08:27] Reading cached notices from /home/ec2-user/.cdk/cache/notices.json
[02:08:27] Failed to get tree.json file: Error: cdk.out/tree.json: ENOENT: no such file or directory, open 'cdk.out/tree.json'. Proceeding with empty tree.
Need to perform AWS calls for account xxxxxxxx, but no credentials have been configured
[02:08:27] Error: Need to perform AWS calls for account xxxxxxxx, but no credentials have been configured
    at SdkProvider.forEnvironment (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:764:18100)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Function.lookup (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:614:8583)
    at async Bootstrapper.modernBootstrap (/opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:615:1084)
    at async /opt/software/node16/lib/node_modules/aws-cdk/lib/index.js:821:1671

[csy97]

It looks like it's due to the use of fromini in awscli-compatible.ts. When uses source_profile, fromini will use the global sts service to get aksk by default, but this obviously doesn't work for China.

Adding clientConfig to fromIni allows specifying the region. By setting cn-north-1, fromIni can retrieve the AK/SK. However, it’s unclear if this modification is the optimal approach.

const { STSClient, GetCallerIdentityCommand } = require("@aws-sdk/client-sts");
const { fromIni } = require("@aws-sdk/credential-providers");

async function getRoleIdentity() {
  const credentials = fromIni({ profile: "test_assume" });

  const stsClient = new STSClient({
    credentials, 
    region: "cn-north-1", 
  });

  try {
    const command = new GetCallerIdentityCommand({});
    const response = await stsClient.send(command);

    console.log("Current Role Identity:");
    console.log(`Account: ${response.Account}`);
    console.log(`UserId: ${response.UserId}`);
    console.log(`ARN: ${response.Arn}`);
  } catch (error) {
    console.error("Error fetching identity:", error);
  }
}

[khushail]

Requesting core team's input on this issue as similar issues have been reported earlier few weeks back and team provided a fix.

[rix0rrr]

It looks like it's due to the use of fromini in awscli-compatible.ts. When uses source_profile, fromini will use the global sts service to get aksk by default, but this obviously doesn't work for China.

I'm a little confused. Wouldn't/shouldn't the region = field inside the INI file be used to determine the region to call STS in?

Is it not?

Can you do me a favor? Can you please spell out the INI file profiles that are involved in your call and the environment variables/command line flags you are using, once again? Just to be sure?

[otaviomacedo]

Related: aws/aws-sdk-js-v3#6711

[csy97]

It looks like it's due to the use of fromini in awscli-compatible.ts. When uses source_profile, fromini will use the global sts service to get aksk by default, but this obviously doesn't work for China.

I'm a little confused. Wouldn't/shouldn't the region = field inside the INI file be used to determine the region to call STS in?

Is it not?

Can you do me a favor? Can you please spell out the INI file profiles that are involved in your call and the environment variables/command line flags you are using, once again? Just to be sure?

I have submitted another issue to the AWS SDK for JavaScript repository as aws/aws-sdk-js-v3#6711. In the discussion, the SDK maintainer clarified that the SDK does not fetch region information from the ini file and defaults to us-east-1 if no region is explicitly specified in the formini call.

Therefore, for non-commercial AWS regions, it is necessary to specify the region in the formini call to ensure it functions correctly.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.