Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CDK bootstrap detection assumes stack name of CDKToolkit #1510

Closed
2 tasks done
OperationalFallacy opened this issue May 12, 2024 · 28 comments
Closed
2 tasks done

CDK bootstrap detection assumes stack name of CDKToolkit #1510

OperationalFallacy opened this issue May 12, 2024 · 28 comments
Assignees
Labels
bug Something isn't working p1 transferred Issue was transferred from another Amplify repository

Comments

@OperationalFallacy
Copy link

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.9.0

Amplify CLI Version

12.10.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No, this is a brand new project

Describe the bug

npm create amplify@latest completes

npx ampx sandbox --profile xxx-sso-xxx-dev fails with

The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox.

Expected behavior

It must use bootstrapped CDK already in the account.

Reproduction steps

CDK bootstrapped in account

  1. npm create amplify@latest

  2. npx ampx sandbox --profile xxx-sso-xxx-dev

Project Identifier

n/a

Log output

# Put your logs below this line


Additional information

Looking at the web-page the cli opens:

First-time account setup required
Amplify needs to run a one-time set up for this account and region before it can deploy resources. This usually takes between 2 to 5 minutes.
[Learn more](https://docs.amplify.aws/gen2/start/account-setup/)

and checking the link to the docs, I find a long and manual process to setup SSO and bootstrap CDK. I would expect find some information how it should work within existing SSO, and bootstrapped CDK

image

Also, other problems related to getting started. Gen2 UI lists gen1 apps here (https://us-east-1.console.aws.amazon.com/amplify/apps - why it's even listing them???) and offers to delete it 😱

image

Before submitting, please confirm:

  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.
@OperationalFallacy OperationalFallacy added the pending-triage Incoming issues that need categorization label May 12, 2024
@ykethan ykethan transferred this issue from aws-amplify/amplify-cli May 13, 2024
@ykethan ykethan added the transferred Issue was transferred from another Amplify repository label May 13, 2024
@thomasoehri
Copy link

thomasoehri commented May 14, 2024

I'm having the same problem. Trying to create a sandbox environment using npx ampx sandbox gives the output The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox. and opens the AWS Management Console. But there it shows the message "CDKToolkit is already setup successfully in eu-central-1 Region. You may now close this browser window.".

When i run npx ampx sandbox again it does the same thing. So i'm stuck here and can't launch a sandbox environment. I followed the guide here https://docs.amplify.aws/react/start/account-setup/#configure-amplify-cicd.

Both the Amplify app as well as the IAM Identity Center user are in the same region (eu-central-1) and the local profile seems correct too:

tail ~/.aws/config

[default]
region = eu-central-1
sso_session = amplify-admin
sso_account_id = XXXX
sso_role_name = amplify-policy
[sso-session amplify-admin]
sso_start_url = https://XXXX.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

@Amplifiyer
Copy link
Contributor

Can you check if you have a CDKToolkit named stack in your region and if it's there, what's the value of BootstrapVersion in the CFN outputs. Reference

Screenshot 2024-05-14 at 17 18 38

@ykethan ykethan added the pending-response Issue is pending response from author label May 14, 2024
@edwardfoyle
Copy link
Contributor

Hi @thomasoehri, this could also be caused by a region mismatch. Is the AWS_REGION or AWS_DEFAULT_REGION environment variable set? If so, this will override the region in the config file.

@thomasoehri
Copy link

Can you check if you have a CDKToolkit named stack in your region and if it's there, what's the value of BootstrapVersion in the CFN outputs. Reference

Screenshot 2024-05-14 at 17 18 38

Yes, the CDKToolkit named stack is present in region eu-central-1 and showing a BootstrapVersion value of 18:

Bildschirmfoto 2024-05-14 um 18 01 54

@OperationalFallacy
Copy link
Author

in mine case, the version 14

@github-actions github-actions bot removed the pending-response Issue is pending response from author label May 14, 2024
@thomasoehri
Copy link

thomasoehri commented May 14, 2024

Hi @thomasoehri, this could also be caused by a region mismatch. Is the AWS_REGION or AWS_DEFAULT_REGION environment variable set? If so, this will override the region in the config file.

Hi @edwardfoyle, thank you for the great tip, but i have neither of them set.

@Amplifiyer
Copy link
Contributor

to debug this next, can you run the following commands and let us know the results

  1. aws ec2 describe-availability-zones --output text --query 'AvailabilityZones[0].[RegionName]' --profile xxx-sso-xxx-dev | cat

  2. aws cloudformation describe-stacks --stack-name CDKToolkit --max-items 1 --profile xxx-sso-xxx-dev | grep BootstrapVersion -B 1 -A 3

I'm assuming you are still getting this error:

The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbo

@ykethan ykethan added the pending-response Issue is pending response from author label May 16, 2024
@thomasoehri
Copy link

thomasoehri commented May 16, 2024

to debug this next, can you run the following commands and let us know the results

  1. aws ec2 describe-availability-zones --output text --query 'AvailabilityZones[0].[RegionName]' --profile xxx-sso-xxx-dev | cat
  2. aws cloudformation describe-stacks --stack-name CDKToolkit --max-items 1 --profile xxx-sso-xxx-dev | grep BootstrapVersion -B 1 -A 3

I'm assuming you are still getting this error:

The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbo
  1. While running the first command i received the following authorization error: An error occurred (UnauthorizedOperation) when calling the DescribeAvailabilityZones operation: You are not authorized to perform this operation. User: arn:aws:sts::xxxxx:assumed-role/AWSReservedSSO_amplify-policy_xxxxx/amplify-admin is not authorized to perform: ec2:DescribeAvailabilityZones because no identity-based policy allows the ec2:DescribeAvailabilityZones action

I then attached the AmazonEC2ReadOnlyAccess policy to the IAM Identity Center permission set for my user and got the following response when running the command again:

thomasoehri@Mac-Studio-von-Thomas-572 echo-backend % aws ec2 describe-availability-zones --output text --query 'AvailabilityZones[0].[RegionName]' --profile default | cat
eu-central-1
  1. Running the second command i got the following response:
thomasoehri@Mac-Studio-von-Thomas-572 echo-backend % aws cloudformation describe-stacks --stack-name CDKToolkit --max-items 1 --profile default | grep BootstrapVersion -B 1 -A 3
                {
                    "OutputKey": "BootstrapVersion",
                    "OutputValue": "20",
                    "Description": "The version of the bootstrap resources that are currently mastered in this stack"
                },

P.S.: It is now showing BootstrapVersion 20 instead of 18 like before because i tried updating the CDKToolkit stack manually using the command cdk bootstrap aws://$(aws sts get-caller-identity --query Account --output text)/$AWS_REGION from the following guide: Troubleshoot "Stack CDKToolkit already exists", but that didn't fix the error The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox..

  1. Running npx ampx sandbox --profile default still results in the The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox. error.

Here is a screenshot showing all three commands and their results:

Bildschirmfoto 2024-05-16 um 14 22 23 Bildschirmfoto 2024-05-16 um 14 22 02

Note that i use the same profile --profile default with every command.

@Amplifiyer
Copy link
Contributor

Interesting! This is the code that makes the same CFN call to determine if the account-region is bootstrapped.

Would it be possible for you to put a breakpoint in that method and see what you get back?
Also if you are using a default profile, what do you see if you don't use the --profile option at all.

@thomasoehri
Copy link

Interesting! This is the code that makes the same CFN call to determine if the account-region is bootstrapped.

Would it be possible for you to put a breakpoint in that method and see what you get back? Also if you are using a default profile, what do you see if you don't use the --profile option at all.

Here is what i get back when i set a breakpoint in the isBootstrapped method:

Bildschirmfoto 2024-05-16 um 17 26 04

This call throws an error with code 'ValidationError' and message 'Stack with id CDKToolkit does not exist':

const { Stacks: stacks } = await this.cfnClient.send(
        new DescribeStacksCommand({
          StackName: CDK_BOOTSTRAP_STACK_NAME,
        })
      );

The --profile argument was just to showcase that the correct/same profile was used. Omitting it also results in the error.

@thomasoehri
Copy link

this.cfnClient.config.region() seems correct too:

Bildschirmfoto 2024-05-16 um 17 58 53

@thomasoehri
Copy link

I have found the issue (at least for me). I've had credentials for another AWS account stored in ~/.aws/credentials and it seems ampx sandbox took those instead of the SSO profile stored in ~/.aws/config whereas all other cli commands took the SSO profile. Maybe that is something to add to the troubleshooting page.

@Amplifiyer
Copy link
Contributor

Thank you @thomasoehri so much for you help in debugging this.

I have found the issue (at least for me). I've had credentials for another AWS account stored in ~/.aws/credentials and it seems ampx sandbox took those instead of the SSO profile stored in ~/.aws/config whereas all other cli commands took the SSO profile.

That was my next guess that aws-sdk is not able to resolve the right AWS_ACCOUNT since everything else lines up. See some issues filed there

Maybe that is something to add to the troubleshooting page.

Thank you, yes we will look into adding this there. Can you share the snippet of your Obfuscated credentials file on how it looked? I'm guessing if the same profile name is present there, aws-sdk picks that ahead of the aws/config

@Amplifiyer
Copy link
Contributor

@OperationalFallacy, can you check if your situation is similar to the one we just discussed above?

@OperationalFallacy
Copy link
Author

OperationalFallacy commented May 16, 2024

@OperationalFallacy, can you check if your situation is similar to the one we just discussed above?

I see it recognizes sso profile (both with a workaround for gen1 - credential_process = aws-sso-credential-process --profile xxx and normal sso profile), the account is correct, too.

npx ampx sandbox --profile xxx-dev-amplify
The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox.

There is still the prompt.

image

Looks like a bug because the latest cdk cli works just fine, even with some older bootstrap version I have.

@github-actions github-actions bot removed the pending-response Issue is pending response from author label May 16, 2024
@Amplifiyer
Copy link
Contributor

what do you get with this command aws cloudformation describe-stacks --stack-name CDKToolkit --max-items 1 --profile xxx-sso-xxx-dev | grep BootstrapVersion -B 1 -A 3

@OperationalFallacy
Copy link
Author

OperationalFallacy commented May 16, 2024

aws cloudformation describe-stacks --stack-name CDKToolkit-CICDTarget --max-items 1 --xxx-dev-amplify | grep BootstrapVersion -B 1 -A 3
                {
                    "OutputKey": "BootstrapVersion",
                    "OutputValue": "14",
                    "Description": "The version of the bootstrap resources that are currently mastered in this stack"
                },
             ```
             
 Note the custom stack name.
 
 I guess it should be more like this or whatever the sdk call to get the output value by output name 

aws cloudformation describe-stacks --query "Stacks[].Outputs[?OutputKey=='BootstrapVersion'].[OutputValue]" --output text --profile xxxx``` - it prints 14

@Amplifiyer
Copy link
Contributor

Thanks @OperationalFallacy, this is helpful. The code currently assumes that the stack-name has to be CDKToolkit which is the default when using cdk bootstrap. Marking this a bug.

@Amplifiyer Amplifiyer added bug Something isn't working and removed pending-triage Incoming issues that need categorization labels May 16, 2024
@thomasoehri
Copy link

Thank you, yes we will look into adding this there. Can you share the snippet of your Obfuscated credentials file on how it looked? I'm guessing if the same profile name is present there, aws-sdk picks that ahead of the aws/config

Yes exactly, both profiles were named default.

% cat ~/.aws/credentials
[default]
aws_access_key_id=XXXXX
aws_secret_access_key=XXXXX

@edwardfoyle edwardfoyle changed the title Getting started is not getting far: Amplify gen2 fails to recognize bootstrapped CDK account CDK bootstrap detection assumes stack name of CDKToolkit May 17, 2024
@robokozo
Copy link

Just ran into this myself. I'm a little bummed because I wanted to participate in the AWS Amplify full stack challenge

credentials

[default]
aws_access_key_id = xxx
aws_secret_access_key = xxx

config

[default]
sso_session = amplify-admin
sso_account_id = xxx
sso_role_name = amplify-policy
region = us-east-2
[sso-session amplify-admin]
sso_start_url = https://xxx.awsapps.com/start
sso_region = us-east-2
sso_registration_scopes = sso:account:access

@thomasoehri
Copy link

@robokozo You should be able to give the SSO profile a different name from the profile in ~/.aws/credentials. So when running aws configure sso choose a different profile name:

% aws configure sso
SSO session name [amplify-admin]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-central-1.amazonaws.com/

Then enter the code:

XXXX-XXXX
The only AWS account available to you is: XXXXX
Using the account ID XXXXX
The only role available to you is: amplify-policy
Using the role name "amplify-policy"
CLI default client Region [eu-central-1]:
CLI default output format [None]:
CLI profile name [amplify-policy-533267102941]: amplify-policy-XXX  <---- Use a profile name other than default

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile amplify-policy-XXX

Then you'll be able to run the sandbox with that profile using npx ampx sandbox --profile amplify-policy-XXX.
In my case i've just removed the ~/.aws/credentials file since i didn't need the account that was specified in there on this machine.

@robokozo
Copy link

@thomasoehri Thanks for the info. Any idea about this?

> npx ampx sandbox --profile amplify-policy-my-name

[Sandbox] Pattern !.env.example found in .gitignore. ".env.example" will not be watched if other patterns in .gitignore are excluding it.
  
  Amplify Sandbox
  
  Identifier:   my-name
  Stack:        amplify-my-name-sandbox-eb92868d9f
  
  To specify a different sandbox identifier, use --identifier
Segmentation fault

@OperationalFallacy
Copy link
Author

npx ampx sandbox is working now, thank you for the update!

Is the UI trying to do something different when it creates an app? A few Gen 1 apps are already configured and deployed in that account, so the message is confusing.

image

What is it trying to do?

@jakejcheng
Copy link

I just encounter this issue as well but I was able to get it to work once I've removed ~/aws/.credentials

@harnam2601
Copy link

I also got the same issue with same message The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox. when running npx ampx sandbox command without --profile profile-name option, and when added the profile option, I was getting error related to invalidURL and found the issue in my aws credentials. AWS region value was setup wrong, correcting it fixed the issue for me.

@zeeshanakhter2009
Copy link

When running this command 'npx ampx sandbox --outputs-format dart --outputs-out-dir lib'
getting this error 'The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox.'

Run this command to fix it: 'npx aws-cdk@latest bootstrap aws://540444658130/us-east-1'

@cpropster
Copy link

cpropster commented Oct 11, 2024

this last comment from @zeeshanakhter2009 worked for me as well structure of the cli command is as follows

npx aws-cdk@latest bootstrap aws://{AWS account Number}/{region}

e.g. npx aws-cdk@latest bootstrap aws://123456789012/us-east-1

@tal-arrowood
Copy link

tal-arrowood commented Oct 16, 2024

When running this command 'npx ampx sandbox --outputs-format dart --outputs-out-dir lib' getting this error 'The given region has not been bootstrapped. Sign in to console as a Root user or Admin to complete the bootstrap process, then restart the sandbox.'

Run this command to fix it: 'npx aws-cdk@latest bootstrap aws://540444658130/us-east-1'

This finally worked for me, with one caveat: the amplify-policy role created if you use the process in the guide linked above uses AmplifyBackendDeployFullAccess policy, which doesn't have CloudFormation:CreateChangeSet permission, which is required for the bootstrap. You'll need to add that to the role or just use an AdministratorAccess role. In ~/.aws/config change your sso profile sso_role_name setting to use the role you need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working p1 transferred Issue was transferred from another Amplify repository
Projects
None yet
Development

No branches or pull requests