Support OIDC Web Identity Token File as a means of picking up credentials

[exussum12]

Describe the bug

When using OIDC as the following

aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}

aws CLI commands work for example aws sts get-caller-identity

but CDK does not correctly pick this up from the profile and needs to be manually set as env vars to be picked up

I would have expected the CLI behaviour to match CDK

Expected Behavior

when using oidc, aws-cli works, cdk should work in the same way

Current Behavior

cdk misses the credentials and carries on down the chain

Reproduction Steps

This can be reproduced on bitbucket (or any provider with OIDC installed)

bitbucket pipeline example
oidc: true
script:
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
- chmod 400 ${AWS_WEB_IDENTITY_TOKEN_FILE}
- aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
- aws sts get-caller-identity
- npx run cdk deploy

Possible Solution

No response

Additional Information/Context

No response

SDK version used

2.85.0

Environment details (OS name and version, etc.)

Bitbucket

[peterwoodworth]

What error message are you receiving?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[exussum12]

@peterwoodworth As its running on bitbucket, they appear to use EC2. The error message is around not being able to get permissions for the account (expected as the EC2 would be theirs not ours). Changing the env variables to match

aws-cdk/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

Line 170 in 2462b0b

return Boolean(process.env.AWS_ROLE_ARN && process.env.AWS_WEB_IDENTITY_TOKEN_FILE);

Works. but this should be picked up before that point (specifically here

aws-cdk/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

Line 52 in 2462b0b

...iniFileCredentialFactories(implicitProfile, options.httpOptions),

)

[peterwoodworth]

The specific error message would be helpful in knowing how / if I'm reproducing the same behavior

[exussum12]

 ❌ Deployment failed: Error: Need to perform AWS calls for account xxxxxx, but no credentials have been configured
    at SdkProvider.forEnvironment (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:325:46159)
    at async Deployments.cachedSdkForEnvironment (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:12792)
    at async Deployments.prepareSdkFor (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:7866)
    at async Deployments.isSingleAssetPublished (/opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:11963)
    at async /opt/atlassian/pipelines/agent/build/node_modules/aws-cdk/lib/index.js:415:139187
Need to perform AWS calls for account xxxxxx, but no credentials have been configured

With verbose

[00:28:07] Determining if we're on an EC2 instance.
[00:28:07] Looks like an EC2 instance.
[00:28:07] Toolkit stack: CDKToolkit
[00:28:07] Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
[00:28:07] Resolving default credentials
[00:28:07] Notices refreshed
[00:28:07] Failed to store notices in the cache: Error: ENOENT: no such file or directory, open '/root/.cdk/cache/notices.json'
[00:28:15] Unable to determine the default AWS account (TimeoutError): EC2 Metadata roleName request returned error

Both of those example above aws sts get-caller-identity returns as expected

[peterwoodworth]

We don't currently support this - We rely on the SDKs, and they take some different calls to be able to use this feature that I don't think we've set up. This is possible in both JS v2 and v3 SDKs.

[exussum12]

The v3 looks like it supports it

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-credential-providers/#profile-with-webidentitytokenfile

[peterwoodworth]

That's the same page I linked 🙂

[mpashkovskiy]

I spent several days fighting with the same issue 🤦‍♂️ .

First of the all AWS_ROLE_ARN should be defined. But that's not all! AWS_REGION, it is the lack of AWS_REGION that was the main issue for me.

That's a working snippet:

image: node:16.3.0
pipelines:
  branches:
    main:
      - step:
          name: Deployment
          oidc: true
          script:
              - export AWS_REGION=...
              - export AWS_ROLE_ARN=....
              - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
              - echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
              - aws sts get-caller-identity
              - npx run cdk deploy

You don't even need chmod and aws configure lines.

[rumesh-athu]

I spent several days fighting with the same issue 🤦‍♂️ .

First of the all AWS_ROLE_ARN should be defined. But that's not all! AWS_REGION, it is the lack of AWS_REGION that was the main issue for me.

That's a working snippet:

image: node:16.3.0
pipelines:
  branches:
    main:
      - step:
          name: Deployment
          oidc: true
          script:
              - export AWS_REGION=...
              - export AWS_ROLE_ARN=....
              - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
              - echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
              - aws sts get-caller-identity
              - npx run cdk deploy

You don't even need chmod and aws configure lines.

Thank you @mpashkovskiy
Export the AWS_REGION was resolved my issue as well

[TheRealAmazonKendra]

This support will be added as soon as #31702 is merged.

[dytyniuk]

Hi @TheRealAmazonKendra 👋

I dropped by to confirm one of the missing cases you originally mentioned in #31702 - the use of Web Identity Token.
In short: it works like a charm ✨

Zooming in:

• we use gitlab.com for VCS and CI/CD
• we have group-level (organisation) CI runners
• Gitlab is added as a trusted OIDC identity provider to our AWS account(s)
• CI job has:
  • Gitlab's ID token configured with a proper audience
  • AWS_ROLE_ARN environment variable with the desired role's ARN
  • AWS_REGION environment variable pointing to a desired region
  • The ID token is saved into a $AWS_WEB_IDENTITY_TOKEN_FILE

A simplified configuration looks as follows:

variables:
  AWS_REGION: eu-central-1
  AWS_ROLE_ARN: arn:aws:iam::123456789012:role/RoleName
  AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/token

default:
  image: node:22-alpine3.20
  id_tokens:
    JOB_TOKEN:
      aud: 'sts.amazonaws.com'
  before_script:
    - echo $JOB_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
    - npm install --include dev
    
stack-diff:
  script:
    - cdk diff --ci

Thank you very much for the upgrade! It simplifies credentials supply a lot!

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.