Getting CDK to work with AWS SSO profiles and AWS Environment Variables
Deploying CDK applications with AWS SSO accounts can be different than with a single independent AWS account that is not integrated with AWS SSO.
The Problem
We had recently updated our individual company AWS Accounts to be integrated with AWS IAM. I had a previous Java CDK project that is described in Santa’s AWS Workshop! (A serverless event driven approach) This project was previously had the AWS CLI configured to a single AWS Account as documented in Getting started with AWS, Java 11 (Amazon Corretto), Eclipse and AWS Toolkit. I was previously using long term credentials in the form of Access Keys and this was no longer working.
Since the account was no longer accessible in the same manner a problem occurred when I went to execute the “cdk bootstrap” command. I received an “Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment”
CDK with an SSO Account requires a different technique to ensure that your CDK project will be able to deploy correctly.
I wasted some time investigating how to overcome this and thought that I would share one way to overcome this.
The Solution
You should go to your SSO Start URL for your organization and authenticate to see which accounts you will choose to use to deploy your CDK project. For myself this page looks like the following:
I want to use the AWSPowerUserAccess role, so I click on the “Command line or programmatic access” option.
As I am on a Windows Machine, I will select the Windows table to get the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables to set in my local environment.
Once you are on the credentials page you will see Options 1(AWS Environment Variables)
Setting AWS environment variables (Short-term credentials)
(A) Copy the commands from the Option 1 to set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables.
Paste these into your cmd window
(B) Set your AWS_REGION variable to the region you wish to deploy your CDK Stack using something like
SET AWS_REGION=us-west-2
( C)Then issue your “cdk bootstrap” command and your cdk project should deploy successfully using your SSO Account as follows
You should then be able to issue the subsequent “cdk synth” and “cdk deploy” commands to deploy your CDK project successfully.
(D) You can then remove the credentials from your session by issuing the following commands
SET AWS_ACCESS_KEY_ID=
SET AWS_SECRET_ACCESS_KEY=
SET AWS_SESSION_TOKEN=
Advantages of AWS IAM Identity Center
With AWS IAM Identity Center(Successor to AWS Single Sign-On) you can centrally manage the multiple AWS accounts.
- Create or connect your workforce identities only once for use across AWS
- Centrally manage your workflorce access to multiple AWS accounts
- Assign user permissions based on common job functions or user attributes
- Provide your workforce single sign-on access to cloud applications
Conclusion
A change from individual AWS accounts to AWS IAM Identity Center (AWS SSO) does have benefits to your organization. This article showed how to get your CDK Project to work with your AWS SSO Accounts. Other ways are possible but this one has been tested and might be the right choice for you to get your AWS. Hopefully, this will save you time if you have to get your CDK project deployed when your AWS account are converted to AWS IAM Identity Center.
