hupe1980 / cdk-multi-profile-plugin Goto Github PK
View Code? Open in Web Editor NEWAdds multi profile/account, mfa and aws sso support to cdk apps
License: MIT License
Adds multi profile/account, mfa and aws sso support to cdk apps
License: MIT License
It's easy to include the #/
ending on the sso url (i.e. https://MYORG.awsapps.com/start#/
) when configuring sso in aws, and it's not clear from any error message what's wrong (you'll get "Current cached SSO login is expired or invalid"). Perhaps we could allow for this difference?
Is it possible to add the arn
of a CloudFormation service role? It would be nice not to have to explicitly specify this for each account.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
When working in a team currently every team member has to sync their local AWD profile names or the profile configuration has to be edited before running CDK.
A better approach could be some kind of precedence resolver.
My suggestion for precedence would be:
~/.cdkmultiprofileplung.json
package.json
for mappingTo not break back backward compatibility first the profile is looked up in ~/.cdkmultiprofileplung.json
. If no mapped account is found then the local package.json
will be used for looking up a mapping.
As a result, there can be a team configuration in package.json
and it can be overridden locally by every team member.
Currently I'm working this issue at https://github.com/vondeetzen/cdk-multi-profile-plugin
The plugin apparently does no longer work with CDK 1.51.0 onwards.
cdk.json
:
{
"app": "npx ts-node bin/infra.ts",
"context": {
"@aws-cdk/core:enableStackNameDuplicates": true,
"aws-cdk:enableDiffNoFail": true,
"@aws-cdk/core:newStyleStackSynthesis": true
},
"plugin": ["cdk-multi-profile-plugin"]
}
cdkmultiprofileplugin.json
{
"awsProfiles": {
"1111111111": "1111111111_AWSAdministratorAccess",
"2222222222": "2222222222_AWSAdministratorAccess",
"3333333333": "3333333333_AWSAdministratorAccess",
"4444444444": "4444444444_AWSAdministratorAccess"
}
}
Running yarn cdk deploy PipelineStack
fails with the message:
$ cdk deploy PipelineStack
๐ Using profile 1111111111_AWSAdministratorAccess for account 1111111111 in mode ForReading
Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): The security token included in the request is invalid
error Command failed with exit code 1.
Specifying --profile
manually works without any issues
yarn cdk deploy PipelineStack --profile 1111111111_AWSAdministratorAccess
Credentials fail when attempting to create a VPC
Step by step:
Create and add a network stack (se below) to your AWS CDK app:
import { Construct, Stack, StackProps } from '@aws-cdk/core';
import { SubnetType, Vpc } from '@aws-cdk/aws-ec2';
export class NetworkStack extends Stack {
public readonly vpc: Vpc;
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
this.vpc = new Vpc(this, 'VPC', {
subnetConfiguration: [{
name: 'Isolated',
cidrMask: 24,
subnetType: SubnetType.ISOLATED,
}]
});
}
}
Build and deploy:
$ย npm run build
$ npx cdk synth
Expected result
The AWS CDK should deploy the app and create a new VPC
Actual result
[Error at network-stack] Need to perform AWS calls for account 112233445566, but no credentials found. Tried: default credentials.
package.json
excerpt:
{
"name": "my-app-with-vpc",
"private": true,
"bin": {
"cdk": "bin/cdk.js"
},
"scripts": {
"build": "tsc",
},
"devDependencies": {
"@aws-cdk/aws-ec2": "^1.23.0",
"@aws-cdk/core": "^1.23.0",
"cdk-multi-profile-plugin": "^1.1.2",
"ts-node": "^8.1.0",
"typescript": "~3.7.2"
}
}
cdkmultiprofileplugin.json
excerpt:
{
"awsProfiles": {
"112233445566": "dev-mfa"
}
}
Where dev-mfa
is the AWS CLI profile that is configured (in ~/.aws/config
) to access the AWS development account if MFA is provided.
Comment
This setup works when deploying stacks with other resources, such as Lambda functions, S3 buckets, DynamoDB tables, etc.
After starting a new project from scratch (using cdk init
) and then adding the cdl-multi-profile-plugin
), the npx cdk deploy
command fails:
Unable to load cdk-multi-profile-plugin: Error: Cannot find module 'aws-sdk'
Require stack:
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/ini-file-credential-provider-source.js
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/multi-profile-plugin.js
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/index.js
- /Users/user/Projects/cdk-test/node_modules/aws-cdk/lib/plugin.js
[capped]
Adding the aws-sdk
as a dependency to the test project solves the problem, but since it is required by the cdk-multi-profile-plugin
it could be added as a dependency to the plugin as well.
cdk-multi-profile-plugin version: 1.1.3
When running cdk synth
I get the error:
Unable to resolve plugin cdk-multi-profile-plugin: Error: Cannot find module 'cdk-multi-profile-plugin'
Require stack:
- /Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.js
- /Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:982:15)
at Function.resolve (internal/modules/cjs/helpers.js:83:19)
at tryResolve (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:150:24)
at loadPlugins (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:140:26)
at initCommandLine (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:158:3)
Unable to resolve plug-in: cdk-multi-profile-plugin
I followed the documentation of this plugin.
I'm using version 1.27
of aws-cdk
. Not sure if the error is related to this plugin or aws-cdk
.
After updating the AWS CDK to version 1.30.0 (or 1.29.0), it is no longer possible to deploy stacks with assets if the AWS CLI profile has been configured with MFA authentication.
Consider the following files:
bin/test.ts
#!/usr/bin/env node
import * as cdk from '@aws-cdk/core';
import { LambdaIntegration, RestApi } from '@aws-cdk/aws-apigateway';
import { Function, InlineCode, Runtime } from '@aws-cdk/aws-lambda';
import { RetentionDays } from '@aws-cdk/aws-logs';
class TestStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const lambda = new Function(this, 'Lambda', {
runtime: Runtime.NODEJS_12_X,
code: new InlineCode('exports.handler = function(event, ctx, cb) { return cb(null, "hi"); }'),
handler: 'index.handler',
logRetention: RetentionDays.ONE_DAY,
});
const restApi = new RestApi(this, 'RestApi');
restApi.root.addMethod('GET', new LambdaIntegration(lambda), {
});
}
}
const app = new cdk.App();
new TestStack(app, 'TestStack', {
env: {
account: '111222333444',
region: 'eu-west-1',
},
});
cdk.json
{
"app": "npx ts-node bin/test.ts",
"plugin": ["cdk-multi-profile-plugin"]
}
cdkmultiprofileplugin.json
{
"awsProfiles": {
"111222333444": "mfa-profile"
}
}
package.json
{
"name": "test",
"version": "0.1.0",
"bin": {
"test": "bin/test.js"
},
"scripts": {
"build": "tsc",
"watch": "tsc -w",
"test": "jest",
"cdk": "cdk"
},
"devDependencies": {
"@aws-cdk/aws-apigateway": "^1.30.0",
"@aws-cdk/aws-lambda": "^1.30.0",
"@aws-cdk/core": "1.30.0",
"@types/jest": "^24.0.22",
"@types/node": "10.17.5",
"aws-cdk": "1.30.0",
"cdk-multi-profile-plugin": "^1.1.2",
"jest": "^24.9.0",
"ts-jest": "^24.1.0",
"ts-node": "^8.1.0",
"typescript": "~3.7.2"
}
}
Using CDK version 1.28.0 (or lower) it was possible to deploy this stack. However, after the upgrade it fails:
$ npm run build && npx cdk deploy
> [email protected] build /Users/mattias/Projects/Bombardier/test
> tsc
๐ Using profile mfa-profile for account 111222333444 in mode ForReading
? MFA token for arn:aws:iam::111222333444:mfa/some-user: 492769
Do you wish to deploy these changes (y/n)? y
TestStack: deploying...
๐ Using profile mfa-profile for account 111222333444 in mode ForWriting
[0%] start: Publishing [random string]:current
[100%] fail: AWS credentials are required to upload assets. Please configure environment variables or ~/.aws/credentials.
โ TestStack failed: Error: Failed to publish one or more assets. See the error messages above for more information.
at Object.publishAssets (/Users/test/node_modules/aws-cdk/lib/util/asset-publishing.ts:18:11)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at Object.deployStack (/Users/test/node_modules/aws-cdk/lib/api/deploy-stack.ts:132:3)
at CdkToolkit.deploy (/Users/test/node_modules/aws-cdk/lib/cdk-toolkit.ts:152:24)
at main (/Users/test/node_modules/aws-cdk/bin/cdk.ts:229:16)
at initCommandLine (/Users/test/node_modules/aws-cdk/bin/cdk.ts:172:9)
Failed to publish one or more assets. See the error messages above for more information.
Hi,
I can remember that I was using this plugin a year ago already. While it wasn't possible to specify the account-Id/Name relation it was possible to use cross account references. Now with CDK version 1.46.0 I'm getting this error. I guess this is something that CDK introduced in the meantime. For me this is the only reason the use this plugin. Since you are more into CDK code I guess: Do you have an idea how to get around this?
Thanks for that awesome plugin!
Unfortunately it doesn't seem to work anymore with recent versions of CDK v2 RC (at least 2.0.0-rc.20
).
It seems like some exports aren't available anymore.
After changing some imports the plugin works again.
Error:
Unable to load cdk-multi-profile-plugin: Error: Cannot find module 'aws-cdk'
Require stack:
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/ini-file-credential-provider-source.js
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/multi-profile-plugin.js
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/index.js
- /PATHTOREPO/node_modules/aws-cdk/lib/plugin.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/credential-plugins.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/index.js
- /PATHTOREPO/node_modules/aws-cdk/bin/cdk.js
- /PATHTOREPO/node_modules/aws-cdk/bin/cdk
at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)
at Function.Module._load (node:internal/modules/cjs/loader:778:27)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:94:18)
at Object.<anonymous> (/PATHTOREPO/node_modules/cdk-multi-profile-plugin/src/ini-file-credential-provider-source.ts:4:1)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
Unable to load plug-in: cdk-multi-profile-plugin
Working Fix:
// /cdk-multi-profile-plugin/ini-file-credential-provider-source.ts:4
import { CredentialProviderSource, Mode } from "aws-cdk/lib/api/aws-auth/credentials";
// /cdk-multi-profile-plugin/multi-profile-plugin
import { Plugin, PluginHost } from "aws-cdk/lib/plugin";
Are you aware of that? I didn't dig too deep into the CDKv2 Source and not sure if there are any official API Changes for Plugins. If it's fine for you to import the exports directly from the specific files I can create a PR. But an official API would be more solid.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.