Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-eks): Unable to deploy cluster in regions that are not enabled by default #13748

Closed
civilizeddev opened this issue Mar 23, 2021 · 4 comments · Fixed by #20009
Closed

(aws-eks): Unable to deploy cluster in regions that are not enabled by default #13748

civilizeddev opened this issue Mar 23, 2021 · 4 comments · Fixed by #20009
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@civilizeddev
Copy link
Contributor

civilizeddev commented Mar 23, 2021
edited
Loading

In AWS Bahrain region (me-south-1), establishing an EKS cluster with cdk has been failed,

with this error message:

"AWS was not able to validate the provided access credentials"

While it succeeded in AWS Seoul region (ap-northeast-2)

It seems to be related to the STS endpoint problem.

Reproduction Steps

My Stack contains:

import * as cdk from '@aws-cdk/core'
import * as eks from '@aws-cdk/aws-eks'

export class EksStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
    super(scope, id, props)
    new eks.Cluster(this, 'cluster', {})
  }
}

// ...

const app = new cdk.App()
new EksStack(app, 'eks', { env: { region: 'me-south-1' } })
app.synth()

When I run it:

$ cdk deploy eks

It is aborted with an error like:

ERROR: AWS was not able to validate the provided access credentials

What did you expect to happen?

The stack should be successfully deployed.

What actually happened?

Failed to create resource. The security token included in the request is invalid

Logs: /aws/lambda/eks-awscdkawseksClusterReso-OnEventHandler42BEBAE0-4QPUO1YX3M0U

Failed to delete resource. The security token included in the request is invalid

Logs: /aws/lambda/eks-awscdkawseksClusterRe-IsCompleteHandler7073F4D-ER83I62J68AJ

The stack deployment was aborted at this stage:

aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster.ts

Lines 1007 to 1030 in 77ce45d

const resource = this._clusterResource = new ClusterResource(this, 'Resource', {
name: this.physicalName,
environment: props.clusterHandlerEnvironment,
roleArn: this.role.roleArn,
version: props.version.version,
resourcesVpcConfig: {
securityGroupIds: [securityGroup.securityGroupId],
subnetIds,
},
...(props.secretsEncryptionKey ? {
encryptionConfig: [{
provider: {
keyArn: props.secretsEncryptionKey.keyArn,
},
resources: ['secrets'],
}],
} : {} ),
endpointPrivateAccess: this.endpointAccess._config.privateAccess,
endpointPublicAccess: this.endpointAccess._config.publicAccess,
publicAccessCidrs: this.endpointAccess._config.publicCidrs,
secretsEncryptionKey: props.secretsEncryptionKey,
vpc: this.vpc,
subnets: placeClusterHandlerInVpc ? privateSubents : undefined,
});

Environment

  • CDK CLI Version : 1.94.1
  • Framework Version:
  • Node.js Version: 14.16.0
  • OS : macOS BigSur 11.2.3(20D91)
  • Language (Version): TypeScript 4.2.3

Other

This is 🐛 Bug Report
@civilizeddev civilizeddev added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 23, 2021
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Mar 23, 2021
@civilizeddev
Copy link
Contributor Author

aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts

Line 31 in 77ce45d

eks = new aws.EKS({ credentials: creds });

@civilizeddev
Copy link
Contributor Author

In some AWS regions, such as ap-east-1 and me-south-1,

aws-sdk and aws-cli behave differently when calling STS endpoints.

To fix this to do the same in all the regions,

lambda functions used in cluster-resource-provider in cdk should have an environment variable:

  • AWS_STS_REGIONAL_ENDPOINTS: regional

aws/aws-cli#4370 (comment)

aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts

Lines 61 to 70 in 77ce45d

const onEvent = new lambda.Function(this, 'OnEventHandler', {
code: lambda.Code.fromAsset(HANDLER_DIR),
description: 'onEvent handler for EKS cluster resource provider',
runtime: HANDLER_RUNTIME,
environment: props.environment,
handler: 'index.onEvent',
timeout: Duration.minutes(1),
vpc: props.subnets ? props.vpc : undefined,
vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
});

aws-cdk/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts

Lines 71 to 80 in 77ce45d

const isComplete = new lambda.Function(this, 'IsCompleteHandler', {
code: lambda.Code.fromAsset(HANDLER_DIR),
description: 'isComplete handler for EKS cluster resource provider',
runtime: HANDLER_RUNTIME,
handler: 'index.isComplete',
timeout: Duration.minutes(1),
vpc: props.subnets ? props.vpc : undefined,
vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
});

To be:

new lambda.Function(this, 'XXXHandler', {
  ...,
  environment: {
    ...props.environment,
    AWS_STS_REGIONAL_ENDPOINTS: 'regional'
  }
}

@iliapolo
Copy link
Contributor

@civilizeddev Thanks for reporting this.

You can workaround this issue for now by applying an aspect that injects that environment variable to all lambda functions associated with the cluster:

const cluster = new eks.Cluster(...)
cdk.Aspects.of(Stack.of(cluster)).add({
  visit: (node: cdk.IConstruct) => {
    if (node instanceof lambda.CfnFunction) {
      node.addPropertyOverride('Environment.Variables.AWS_STS_REGIONAL_ENDPOINTS', 'regional')
    }
  }
})

Another option, though less recommended, is enabling global STS endpoints for all regions in your account.

Screen Shot 2021-03-25 at 4 00 17 PM

@iliapolo iliapolo added effort/medium Medium work item – several days of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Mar 25, 2021
@iliapolo iliapolo changed the title (@aws-cdk/aws-eks): AWS was not able to validate the provided access credentials (aws-eks): Unable to deploy cluster in regions that are not enabled by default Mar 25, 2021
@iliapolo iliapolo removed their assignment Jun 27, 2021
This was referenced Jul 15, 2021
Closed
Closed
mnapoli added a commit to brefphp/bref that referenced this issue Aug 3, 2021
@mnapoli
Solve build issues for exotic AWS regions
7fe102d 
Related to aws/aws-cli#4370 and aws/aws-cdk#13748
rix0rrr added a commit that referenced this issue Apr 21, 2022
@rix0rrr
fix(eks): cluster cannot be created in opt-in regions
357847c 
The default STS endpoint of the v2 JS SDK is the global endpoint,
which does not work in opt-in regions: it has to be the regional
endpoint. Fix this by setting a global environment variable
for the custom resource Lambdas.

Fixes #13748, fixes #15579.
@rix0rrr rix0rrr mentioned this issue Apr 21, 2022
Merged
@mergify mergify bot closed this as completed in #20009 Apr 22, 2022
mergify bot pushed a commit that referenced this issue Apr 22, 2022
@rix0rrr
fix(eks): cluster cannot be created in opt-in regions (#20009)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
ec06f48 
The default STS endpoint of the v2 JS SDK is the global endpoint,
which does not work in opt-in regions: it has to be the regional
endpoint. Fix this by setting a global environment variable
for the custom resource Lambdas.

Fixes #13748, fixes #15579.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

StevePotter pushed a commit to StevePotter/aws-cdk that referenced this issue Apr 27, 2022
@rix0rrr
fix(eks): cluster cannot be created in opt-in regions (aws#20009)
17cefba 
The default STS endpoint of the v2 JS SDK is the global endpoint,
which does not work in opt-in regions: it has to be the regional
endpoint. Fix this by setting a global environment variable
for the custom resource Lambdas.

Fixes aws#13748, fixes aws#15579.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mnapoli added a commit to brefphp/aws-lambda-layers that referenced this issue Oct 15, 2022
@mnapoli
Solve build issues for exotic AWS regions
689ec36 
Related to aws/aws-cli#4370 and aws/aws-cdk#13748
phoenix933 pushed a commit to phoenix933/aws-lambda-layers that referenced this issue Dec 3, 2023
Solve build issues for exotic AWS regions
269dcef 
Related to aws/aws-cli#4370 and aws/aws-cdk#13748
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(eks): cluster cannot be created in opt-in regions aws/aws-cdk
2 participants
@iliapolo @civilizeddev