Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cli): SSO credential flow does not work with $AWS_CA_BUNDLE #21328

Closed
HenrikStanley opened this issue Jul 26, 2022 · 3 comments · Fixed by #22115
Closed

(cli): SSO credential flow does not work with $AWS_CA_BUNDLE #21328

HenrikStanley opened this issue Jul 26, 2022 · 3 comments · Fixed by #22115
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI

Comments

@HenrikStanley
Copy link

Describe the bug

When using the CDK CLI with the $AWS_CA_BUNDLE environment variable set, pointing to a valid cacert.pem file with the default AWS CLI certificates + corporate certificates for SSL inspection, the commands does not work when the credentials used comes from the SSO implementation.

cdk doctor correctly identifies the variable is set.

cdk doctor
ℹ️ CDK Version: 2.33.0 (build 859272d)
ℹ️ AWS environment variables:
  - AWS_CA_BUNDLE = /home/vscode/certs/cacert.pem
  - AWS_PROFILE = SSO-TEST
  - AWS_STS_REGIONAL_ENDPOINTS = regional
  - AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  - AWS_SDK_LOAD_CONFIG = 1
ℹ️ No CDK environment variables

On a corporate network with SSL Inspection (ZScaler) and $AWS_CA_BUNDLE correctly configured in the shell.
Running any AWS CLI command using SSO credentials work.
Running CDK CLI commands such as diff and deploy using exported temporary credentials works.
Running CDK CLI commands such as diff and deploy using SSO credentials does not work.

Outside a corporate network with no SSL Inspection.
Running any AWS CLI command using SSO credentials work.
Running CDK CLI commands such as diff and deploy using exported temporary credentials works.
Running CDK CLI commands such as diff and deploy using SSO credentials does works.

Expected Behavior

Having $AWS_CA_BUNDLE correctly configured in the shell that runs the CKD CLI commands, the SSO Credential implementation should respect the $AWS_CA_BUNDLE parameter when calling endpoints.

Current Behavior

When running any commands with the CDK CLIs implementation of using SSO credential as the credential source will result in an error that seems to be caused by the implementation not respecting $AWS_CA_BUNDLE parameters.

Reproduction Steps

This requires a network with SSL inspection enabled to test and validate, as well as a cacert.pem file with the CA used by the SSL Inspection/Interfering network appliance included in the .pem file with the rest of the default certificates that the AWS CLI ships with.

Setup:

  1. Copy the cacert.pem file from the location of the installation of the AWS CLI, on my system this would be:
    /usr/share/aws-cli/v2/2.7.16/dist/awscli/botocore/cacert.pem
  2. Save the copy to a know location, for example:
    ~/certs/cacert.pem
  3. Inject the CA used by the SSL inspection tool or other network appliance that interferes with the traffic into the copied cacert.pem file.

Configure an SSO profile using the AWS CLI:

aws configure sso --profile SSO-TEST
SSO start URL [None]: https://your-sso-url.awsapps.com/start#/
SSO Region [None]: your-sso-region
There are XXX AWS accounts available to you.
Using the account ID 12345678900
There are x roles available to you.
Using the role name "AdministratorAccess"
CLI default client Region [None]: your-default-region
CLI default output format [None]: json

Validate SSL issues.

  1. Login to AWS SSO should give an error.
    aws sso login --profile SSO-TEST

SSL validation failed for <endpoint_url> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed.

Validate working with CA Bundle

export AWS_CA_BUNDLE="~/certs/cacert.pem"
aws sso login --profile SSO-TEST

Should prompt for SSO login through normal IDP / Browser flow.

Now test with a CDK app

cdk deploy --profile SSO-TEST

This fails even though AWS_CA_BUNDLE works for the CLI.
Using exported temporary credentials should work fine.
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

Same using credentials or credential helper in the ~/.aws/credentials file.

In my testing it seems to be only using an SSO profile from the ~/.aws/config file which can be applied by using the cdk deploy --profile command or by setting the $AWS_PROFILE environment variable in the shell that does not work.

Possible Solution

Making sure that the implementation from PR: #19454 is fixed to work with $AWS_CA_BUNDLE.

Additional Information/Context

As mentioned the AWS CLI and related tools that requires the $AWS_CA_BUNDLE works fine.
CDK CLI also works fine with $AWS_CA_BUNDLE as long as the credentials used are not SSO credentials but are in the credentials file, exported to environment variables using AWS_ACCESS_KEY_ID etc.

CDK CLI Version

2.33.0 (build 859272d)

Framework Version

No response

Node.js Version

v16.16.0 (LTS)

OS

ArchLinux

Language

Typescript

Language Version

No response

Other information

Stack Trace when using $AWS_CA_BUNDLE inside corp network with SSL inspection enabled.

cdk deploy --trace --verbose --profile "DEV-NN-HSMX"
CDK toolkit version: 2.33.0 (build 859272d)
Command line arguments: {
  _: [ 'deploy' ],
  trace: true,
  verbose: 1,
  v: 1,
  profile: 'DEV-NN-HSMX',
  defaultProfile: 'DEV-NN-HSMX',
  defaultRegion: 'eu-central-1',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  all: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  execute: true,
  force: false,
  f: false,
  parameters: [ {} ],
  'previous-parameters': true,
  previousParameters: true,
  logs: true,
  '$0': '/home/vscode/.local/state/fnm_multishells/216_1658735050827/bin/cdk'
}
cdk.json: {
  "app": "npx ts-node --prefer-ts-exts bin/cdk-demo.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:stackRelativeExports": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ]
  }
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node --prefer-ts-exts bin/cdk-demo.ts',
  watch: {
    include: [ '**' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules',
      'test'
    ]
  },
  context: {
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:stackRelativeExports': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-lambda:recognizeVersionProps': true,
    '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
    '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
    '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
    '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
    '@aws-cdk/core:checkSecretUsage': true,
    '@aws-cdk/aws-iam:minimizePolicies': true,
    '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
    '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
    '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
    '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ]
  },
  debug: false,
  assetMetadata: true,
  profile: 'DEV-NN-HSMX',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
Using CA bundle path: /home/vscode/certs/cacert.pem
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to eu-central-1
Resolving default credentials
Could not refresh notices: Error: unable to get local issuer certificate
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile DEV-NN-HSMX did not include credential process
    at ProcessCredentials2.load (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/process_credentials.js:102:11)
    at ProcessCredentials2.coalesceRefresh (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials2.refresh (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials2.get2 [as get] (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext2 (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:124:23
    at /home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:78:11) {
  code: 'ProcessCredentialsProviderFailure',
  time: 2022-07-25T15:01:41.645Z
}
context: {
  '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
  '@aws-cdk/core:stackRelativeExports': true,
  '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
  '@aws-cdk/aws-lambda:recognizeVersionProps': true,
  '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
  '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
  '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
  '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
  '@aws-cdk/core:checkSecretUsage': true,
  '@aws-cdk/aws-iam:minimizePolicies': true,
  '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
  '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
  '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
  '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'eu-central-1',
  CDK_CONTEXT_JSON: '{"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:stackRelativeExports":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-lambda:recognizeVersionProps":true,"@aws-cdk/aws-lambda:recognizeLayerVersion":true,"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021":true,"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver":true,"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName":true,"@aws-cdk/core:checkSecretUsage":true,"@aws-cdk/aws-iam:minimizePolicies":true,"@aws-cdk/core:validateSnapshotRemovalPolicy":true,"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName":true,"@aws-cdk/aws-s3:createDefaultLoggingPolicy":true,"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption":true,"@aws-cdk/core:target-partitions":["aws","aws-cn"],"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '20.0.0',
  CDK_CLI_VERSION: '2.33.0'
}

✨  Synthesis time: 4.54s

Reading existing template for stack CdkDemoStack.
Reading cached notices from /home/vscode/.cdk/cache/notices.json

Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
Error: Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
    at SdkProvider.resolveEnvironment (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:238:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at CloudFormationDeployments.prepareSdkFor (/home/vscode/.local/share/fnm/node-versions/v16.16.0/installation/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:432:33)

Stack trace outside corp network with no $AWS_CA_BUNDLE enabled:

cdk deploy --trace --verbose --profile "SSO-TEST"
CDK toolkit version: 2.33.0 (build 859272d)
Command line arguments: {
  _: [ 'deploy' ],
  trace: true,
  verbose: 1,
  v: 1,
  profile: 'SSO-TEST',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  all: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  execute: true,
  force: false,
  f: false,
  parameters: [ {} ],
  'previous-parameters': true,
  previousParameters: true,
  logs: true,
  '$0': '/home/vscode/.local/state/fnm_multishells/11098_1658826763957/bin/cdk'
}
cdk.json: {
  "app": "npx ts-node --prefer-ts-exts bin/environment-agnostic.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:stackRelativeExports": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ]
  }
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node --prefer-ts-exts bin/environment-agnostic.ts',
  watch: {
    include: [ '**' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules',
      'test'
    ]
  },
  context: {
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:stackRelativeExports': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-lambda:recognizeVersionProps': true,
    '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
    '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
    '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
    '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
    '@aws-cdk/core:checkSecretUsage': true,
    '@aws-cdk/aws-iam:minimizePolicies': true,
    '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
    '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
    '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
    '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
    '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ]
  },
  debug: false,
  assetMetadata: true,
  profile: 'SSO-TEST',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to eu-central-1
Resolving default credentials
Could not refresh notices: Error: unable to get local issuer certificate
Looking up default account ID from STS
Default account ID: 839855704449
Setting "CDK_DEFAULT_ACCOUNT" environment variable to 839855704449
context: {
  '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
  '@aws-cdk/core:stackRelativeExports': true,
  '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
  '@aws-cdk/aws-lambda:recognizeVersionProps': true,
  '@aws-cdk/aws-lambda:recognizeLayerVersion': true,
  '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
  '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': true,
  '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': true,
  '@aws-cdk/core:checkSecretUsage': true,
  '@aws-cdk/aws-iam:minimizePolicies': true,
  '@aws-cdk/core:validateSnapshotRemovalPolicy': true,
  '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': true,
  '@aws-cdk/aws-s3:createDefaultLoggingPolicy': true,
  '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': true,
  '@aws-cdk/core:target-partitions': [ 'aws', 'aws-cn' ],
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'eu-central-1',
  CDK_DEFAULT_ACCOUNT: '839855704449',
  CDK_CONTEXT_JSON: '{"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:stackRelativeExports":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-lambda:recognizeVersionProps":true,"@aws-cdk/aws-lambda:recognizeLayerVersion":true,"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021":true,"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver":true,"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName":true,"@aws-cdk/core:checkSecretUsage":true,"@aws-cdk/aws-iam:minimizePolicies":true,"@aws-cdk/core:validateSnapshotRemovalPolicy":true,"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName":true,"@aws-cdk/aws-s3:createDefaultLoggingPolicy":true,"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption":true,"@aws-cdk/core:target-partitions":["aws","aws-cn"],"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '20.0.0',
  CDK_CLI_VERSION: '2.33.0'
}

✨  Synthesis time: 4.11s

Reading existing template for stack EnvironmentAgnosticStack.
Retrieved account ID 839855704449 from disk cache
Assuming role 'arn:aws:iam::839855704449:role/cdk-hnb659fds-lookup-role-839855704449-eu-central-1'.
EnvironmentAgnosticStack: deploying...
Retrieved account ID 839855704449 from disk cache
Assuming role 'arn:aws:iam::839855704449:role/cdk-hnb659fds-deploy-role-839855704449-eu-central-1'.
Waiting for stack CDKToolkit to finish creating or updating...
[0%] start: Publishing 762fd8cb7424e5a48da3d769914c60650e01c9062da765e20cb8fb81bc42f80c:current_account-current_region
Retrieved account ID 839855704449 from disk cache
Assuming role 'arn:aws:iam::839855704449:role/cdk-hnb659fds-file-publishing-role-839855704449-eu-central-1'.
[0%] check: Check s3://cdk-hnb659fds-assets-839855704449-eu-central-1/762fd8cb7424e5a48da3d769914c60650e01c9062da765e20cb8fb81bc42f80c.json
[0%] found: Found s3://cdk-hnb659fds-assets-839855704449-eu-central-1/762fd8cb7424e5a48da3d769914c60650e01c9062da765e20cb8fb81bc42f80c.json
[100%] success: Published 762fd8cb7424e5a48da3d769914c60650e01c9062da765e20cb8fb81bc42f80c:current_account-current_region
EnvironmentAgnosticStack: checking if we can skip deploy
EnvironmentAgnosticStack: skipping deployment (use --force to override)

 ✅  EnvironmentAgnosticStack (no changes)

✨  Deployment time: 1.35s

Stack ARN:
arn:aws:cloudformation:eu-central-1:839855704449:stack/EnvironmentAgnosticStack/26525de0-0ccb-11ed-a083-0a091db4a608

✨  Total time: 5.46s

Reading cached notices from /home/vscode/.cdk/cache/notices.json
@HenrikStanley HenrikStanley added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 26, 2022
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jul 26, 2022
@HenrikStanley HenrikStanley mentioned this issue Jul 26, 2022
Closed
@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 2, 2022
@rix0rrr rix0rrr removed their assignment Sep 2, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Sep 2, 2022

Right now, HTTP options like proxy and cacerts apply to specific SDK instances we create:

aws-cdk/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

Line 144 in 5a3db2d

httpOptions: sdkOptions.httpOptions,

However, to do SSO calls the credential provider creates a new instance which doesn't have these HTTP options applied:

https://github.com/aws/aws-sdk-js/blob/7888e6fa7f0e7c02d7bd4432f865cb9a7258b3ff/lib/credentials/sso_credentials.js#L133

That code should have been written to match the AssumeRole code, taking and copying httpOptions:

https://github.com/aws/aws-sdk-js/blob/7888e6fa7f0e7c02d7bd4432f865cb9a7258b3ff/lib/credentials/shared_ini_file_credentials.js#L242-L246

We can also globally configure the HTTP options instead of per-instance. That will probably break the tests.

@rix0rrr rix0rrr mentioned this issue Sep 2, 2022
Closed
@rix0rrr
Copy link
Contributor

rix0rrr commented Sep 2, 2022

Contingent on this being fixed first: aws/aws-sdk-js#4195

@comcalvi comcalvi mentioned this issue Sep 19, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #22115 Sep 28, 2022
mergify bot pushed a commit that referenced this issue Sep 28, 2022
@comcalvi
fix(cli): SSO credentials do not work when using a proxy (#22115)
c425e8c 
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. 

This was tested manually.

Fixes #21328. 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

hacker65536 pushed a commit to hacker65536/aws-cdk that referenced this issue Sep 30, 2022
@comcalvi @hacker65536
fix(cli): SSO credentials do not work when using a proxy (aws#22115)
f7cd75e 
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. 

This was tested manually.

Fixes aws#21328. 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this issue Dec 1, 2022
@comcalvi @madeline-k
fix(cli): SSO credentials do not work when using a proxy (aws#22115)
da0a8e3 
Passes `httpOptions` through to the SDK, which now recognizes `httpOptions`. Enables SSO to work with proxies. 

This was tested manually.

Fixes aws#21328. 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@kjluedke kjluedke mentioned this issue Jan 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): SSO credentials do not work when using a proxy comcalvi/aws-cdk
2 participants
@rix0rrr @HenrikStanley