Recently I’ve been trying to play around with using the AWS CDK to see if it might be a viable alternative to Terraform which is what I currently use.

The first part of getting setup to use the AWS CDK is to bootstrap your AWS environment1. This creates and deploys a CloudFormation stack that creates the required AWS resources (IAM, S3 bucket, etc.) for AWS CDK stacks. To be able to do any of this when you run cdk bootstrap you need AWS credentials to authenticate with the API. For AWS authentication I use aws-vault2. This is an easy way of only giving programs short-term credentials, rather than directly using the long lived access key(s) you generate in the AWS console. However, when I ran:

aws-vault exec <profile> --- npx cdk bootstrap

It would successfully create the CloudFormation stack but that would then fail to create any of the resources with the error:

The security token included in the request is invalid

This didn’t make any sense because the user I was authenticating with had the “AdministratorAccess” policy attached to it. Basically it can do everything.

After spending a while trying to debug the problem, I found that I needed to do:

aws-vault exec --no-session <profile> --- npx cdk bootstrap

Rather than creating temporary credentials (i.e. a session), this just passess the long lived access key and secret through to the child process in the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, no session is created.

This appears to be an issue with passing through the session to the CloudFormation stack. The CloudFormation stack itself is correctly created, it’s just when it is executed that we see the failures. I haven’t used CloudFormation very much but I imagine there is a little bit of a dance that has to be done to ensure that whatever is creating the resources (some form of CloudFormation executor) gets the correct credentials.

I’ve created an issue for this in the aws/aws-cdk GitHub repo3, https://github.com/aws/aws-cdk/issues/35134, and will update this post with the outcome.