Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

context-provider: Context loading fails when /etc/passwd is not available #18824

Closed
allanlw opened this issue Feb 4, 2022 · 5 comments
Closed
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. needs-reproduction This issue needs reproduction. p2

Comments

@allanlw
Copy link
Contributor

allanlw commented Feb 4, 2022

What is the problem?

My CDK stack uses an external VPC via Vpc.fromLookup(). In my CD (inside Docker) it is failing to load context because, /etc/passwd is not available.

I believe the root cause of this is that when attempting to assume the "lookup-role" CDK attempts to use the OS username from os.userInfo() for the STS role name, but does not have a fallback if os.userInfo() fails:

const creds = new AWS.ChainableTemporaryCredentials({
params: {
RoleArn: roleArn,
...externalId ? { ExternalId: externalId } : {},
RoleSessionName: `aws-cdk-${safeUsername()}`,
},
stsConfig: {
region,
...this.sdkOptions,
},
masterCredentials: masterCredentials.credentials,
});

function safeUsername() {
return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@');
}

Reproduction Steps

Unfortunately I'm not sure a straightforward way to provide a snippet because it's a strange environment I'm working in. If you'd like me to create one though, I can do it, please ask.

What did you expect to happen?

Context loading should succeed even if /etc/passwd isn't available (try/catch)

What actually happened?

The deployment failed.

The following warning was printed:

Some context information is missing. Fetching...
Retrieved account ID REDACTED from disk cache
Assuming role 'arn:aws:iam::REDACTED:role/cdk-REDACTED-lookup-role-REDACTED-ap-northeast-1'.
Setting "vpc-provider:account=REDACTED:filter.tag:Name=REDACTED:region=ap-northeast-1:returnAsymmetricSubnets=true" context to {"$providerError":"A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)","$dontSaveContext":true}

The final error was:

Not making progress trying to resolve environmental context. Giving up.
[Error at /REDACTED] A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)
  Annotations.addMessage (/__w/REDACTED/REDACTED/node_modules/aws-cdk-lib/core/lib/annotations.ts:64:25)
  Annotations.addError (/__w/REDACTED/REDACTED/node_modules/aws-cdk-lib/core/lib/annotations.ts:36:10)
  Function.getValue (/__w/REDACTED/REDACTED/node_modules/aws-cdk-lib/core/lib/context-provider.ts:83:31)
  Function.fromLookup (/__w/REDACTED/REDACTED/node_modules/aws-cdk-lib/aws-ec2/lib/vpc.ts:658:66)

CDK CLI Version

2.10.0

Framework Version

2.10.0

Node.js Version

16

OS

Linux

Language

Typescript

Language Version

No response

Other information

This previously worked in v1.132 and stopped working when I upgraded to v2.10.0.

I am setting CDK_HOME as described in #7530

@allanlw allanlw added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 4, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Feb 4, 2022
@corymhall
Copy link
Contributor

@allanlw It will definitely help us if you are able to provide a reproducible example.

@corymhall corymhall added needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 4, 2022
@dennispost
Copy link

@corymhall I think this issue has the same cause as #7937 #15415 #17454 #7530 — and appears not fixed by #7674 or #15313.

Could you add this to your prio 1 list?

@adambro
Copy link
Contributor

adambro commented May 11, 2022

I've proposed trivial fix in #20188 PR already. PR validation failed, because there's no test. For such simple function that is a helper called in private method from private method it's hard to write a proper test without crazy os module mock.

@corymhall corymhall removed their assignment May 24, 2022
@MrArnoldPalmer
Copy link
Contributor

Looks like this should be resolved via #20188. Please reopen if you're still experiencing this.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. needs-reproduction This issue needs reproduction. p2
Projects
None yet
Development

No branches or pull requests

5 participants