Deploy fails when using an organization account IAM role

Question

Deploy fails when using an organization account IAM role

dse opened this issue a year ago · 0 comments

dse commented a year ago

Version

5.37.0

Operating System

Linux (WSL2)

Browser

n/a

What are the steps to reproduce this bug?

Set up an organization in AWS Organizations.
Add an account to it, which will be your client account.
Create an IAM role that allows the main organization account to assume it.
Configure ~/.aws/config thusly:

[default]
region = us-east-1
output = json

[profile XXXXXXXXXXX]
region = us-east-1
output = json
source_profile = default
role_arn = arn:aws:iam::000000000000:role/XXX_Admins

Set the environment variable AWS_PROFILE=XXXXXXXXXXX.
Do a yarn webiny deploy.

What is the expected behavior?

A successful deployment.

What do you see instead?

An STS getCallerIdentity API call during the deploy process fails, triggers the error below.

Running aws sts get-caller-identity in a shell does not fail.

$ AWS_PROFILE=XXXXXXXXXXX AWS_SDK_LOAD_CONFIG=1 yarn webiny deploy
It looks like this is your first time using @webiny/pulumi-sdk.
✔ Pulumi downloaded, continuing...
[resource plugin aws-5.42.0] installing
Downloading plugin: 164.18 MiB / 164.18 MiB [=======================] 100.00% 3s

webiny info: This is your first time deploying the project (dev environment). Note that the initial deployment can take up to 15 minutes, so please be patient.

webiny info: Deploying Core project application...
webiny info: Running "hook-before-build" hook...
webiny success: Hook "hook-before-build" completed.
webiny info: No packages to build...
webiny info: Running "hook-after-build" hook...
webiny success: Hook "hook-after-build" completed.

webiny info: Running "hook-before-deploy" hook...

webiny error: Looks like your AWS credentials are not configured correctly!
webiny debug:  Error: connect EHOSTUNREACH 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1159:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: -113,
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2023-08-04T17:53:59.666Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: -113,
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2023-08-04T17:53:59.665Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: -113,
      code: 'EHOSTUNREACH',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2023-08-04T17:53:59.665Z,
      originalError: [Object]
    }
  }
}
webiny info: To learn how to configure your AWS credentials, visit https://www.webiny.com/docs/how-to-guides/deployment/aws/configure-aws-credentials

webiny error: Command failed with exit code 1: yarn webiny deploy apps/core --env dev --debug false --build true --preview false

Additional information

The cause appears to be that, at least in the instance of checkCredentials.js in cwp-template-aws, the code is not loading aws-sdk/global before loading aws-sdk/clients/sts.

Instructions in AWS's SDK for JS v2 code repository specify to do this.

A workaround is to set NODE_OPTIONS='-r aws-sdk/global' before running yarn webiny deploy to force Node to load it initially. However this does not completely solve the issue.

A lot more of the deployment process will complete but during the deployment of the admin app while attempting to upload things to an S3 bucket, this occurs:

webiny info: Running "hook-after-deploy" hook...
webiny info: Uploading React application...
webiny error: Failed to upload favicons/browserconfig.xml
Error: Unable to create a POST object policy without a bucket, region, and credentials
    at features.constructor.preparePostFields (/home/dembry/webiny/their.example.org/node_modules/aws-sdk/lib/services/s3.js:1119:13)
    at finalizePost (/home/dembry/webiny/their.example.org/node_modules/aws-sdk/lib/services/s3.js:1078:22)
    at features.constructor.createPresignedPost (/home/dembry/webiny/their.example.org/node_modules/aws-sdk/lib/services/s3.js:1102:14)
    at getPresignedPost (/home/dembry/webiny/their.example.org/node_modules/@webiny/pulumi-aws/utils/getPresignedPost.js:37:13)
    at /home/dembry/webiny/their.example.org/node_modules/@webiny/pulumi-aws/utils/uploadFolderToS3.js:114:62
    at processTicksAndRejections (internal/process/task_queues.js:95:5)

As additional misfortune, yarn webiny deploy incorrectly exits with a zero status code.

Possible solution

My solution would be to simply have any source code file using any of the client modules load aws-sdk/global in its very beginning.

As stated in the Additional Information section, this does not completely solve the issue.