Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK ignores no_proxy config #7121

Closed
udondan opened this issue Apr 1, 2020 · 6 comments · Fixed by #16751 or #16840
Closed

CDK ignores no_proxy config #7121

udondan opened this issue Apr 1, 2020 · 6 comments · Fixed by #16751 or #16840
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@udondan
Copy link
Contributor

udondan commented Apr 1, 2020

It appears like CDK ignores the no_proxy configuration.

I attempted to run CDK on an EC2 instance and I expect it to use the instance profile. I therefore added the flag --ec2creds.

The environment contains the vars http_proxy and https_proxy which points the the proxy of my organization. This proxy has an explicit black and whitelist. On the blacklist also are all AWS related endpoints and these cannot be queried though the proxy. Therefore the environment var no_proxy contains these, e.g. ...,169.254.169.254,169.254.170.2,...

When cdk --ec2creds -v deploy now is executed it shows it correctly found the proxy var but makes no mention of the no_proxy. I also was not able to find this string anywhere in the codebase.

Reproduction Steps

Quite a bit hard to fully reproduce. Set up an HTTP proxy which blocks 169.254.169.254 169.254.170.2 etc

Set http_proxy, https_proxy and no_proxy vars as described above on an EC2 instance.

Then run any cdk command with --ec2creds.

Error Log

Using proxy server: http://my.company.proxy:8080

...

Setting "CDK_DEFAULT_REGION" environment variable to eu-central-1
Resolving default credentials
Looking up default account ID from STS
Unable to determine the default AWS account (did you configure "aws configure"?): 403: Forbidden
    at Request.extractError (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  message: 'Forbidden',
  code: 403,
  time: 2020-04-01T15:31:39.434Z,
  requestId: undefined,
  statusCode: 403,
  retryable: false,
  retryDelay: 96.63323741736052
}

...

Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)

Environment

  • CLI Version : 1.31.0
  • Framework Version: 1.31.0
  • OS : Amazon Linux 2
  • Language : Typescript
$ cdk doctor
ℹ️ CDK Version: 1.31.0 (build 8f3ac79)
ℹ️ AWS environment variables:
  - AWS_DEFAULT_REGION = eu-central-1
ℹ️ No CDK environment variables

Other

No problem to run aws sts get-caller-identity

This is 🐛 Bug Report
@udondan udondan added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 1, 2020
@SomayaB SomayaB added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Apr 3, 2020
@rix0rrr rix0rrr added package/tools Related to AWS CDK Tools or CLI effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. and removed @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. labels Apr 6, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label May 19, 2020
@rix0rrr rix0rrr added the p2 label Aug 12, 2020
@rix0rrr rix0rrr added p1 and removed p2 labels Feb 10, 2021
@riskersen
Copy link

We are also experiencing this issue. Any update on this?

@udondan
Copy link
Contributor Author

udondan commented Mar 30, 2021

@riskersen I just unset all proxy env vars, before running cdk. Since the cdk shouldn't speak to anything unrelated to aws, this has no sideeffects for me.

@jia2
Copy link

jia2 commented Sep 29, 2021

We are experiencing the same issue and appreciate that it could be fixed soon.

RomainMuller added a commit that referenced this issue Oct 1, 2021
@RomainMuller
fix: CDK does not honor NO_PROXY settings
d292648 
CDK was extracting the value of `HTTPS?_PROXY` and passing this to
`proxy-agent` explicitly, which resulted in not honoring the `NO_PROXY`
setting.

This removes that behavior and lets `proxy-agent` delegate to
`proxy-from-env`, which will leverage values in `HTTPS?_PROXY` and
NO_PROXY correctly.

Fixes #7121
@RomainMuller RomainMuller mentioned this issue Oct 1, 2021
Merged
RomainMuller pushed a commit that referenced this issue Oct 1, 2021
fix: CDK does not honor NO_PROXY settings (#16751)
ceab036 
CDK was extracting the value of `HTTPS?_PROXY` and passing this to
`proxy-agent` explicitly, which resulted in not honoring the `NO_PROXY`
setting.

This removes that behavior and lets `proxy-agent` delegate to
`proxy-from-env`, which will leverage values in `HTTPS?_PROXY` and
NO_PROXY correctly.

Fixes #7121
@github-actions
Copy link

github-actions bot commented Oct 1, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@RomainMuller RomainMuller reopened this Oct 4, 2021
@RomainMuller
Copy link
Contributor

The fix has been rolled back due to causing issues in some other place.

@ryparker ryparker mentioned this issue Oct 7, 2021
Merged
@mergify mergify bot closed this as completed in #16840 Oct 7, 2021
mergify bot pushed a commit that referenced this issue Oct 7, 2021
@ryparker
fix(aws-eks,sdk-provider): full proxy support (#16840)
42d43db 
## Summary

CDK was extracting the value of HTTPS?_PROXY and passing this to proxy-agent explicitly, which resulted in not honoring the NO_PROXY setting.

This removes that behavior and lets proxy-agent delegate to proxy-from-env, which will leverage values in HTTPS?_PROXY and NO_PROXY correctly.

Tested by deploying [this sample repo](https:/ryparker/aws-cdk-sample-eks) and monitoring Squid proxy logs while triggering the "onEvent" Lambda.

Fixes #7121
Related PRs: #16751, #16751

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Oct 7, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

njlynch pushed a commit that referenced this issue Oct 11, 2021
@njlynch
fix: CDK does not honor NO_PROXY settings (#16751)
3594383 
CDK was extracting the value of `HTTPS?_PROXY` and passing this to
`proxy-agent` explicitly, which resulted in not honoring the `NO_PROXY`
setting.

This removes that behavior and lets `proxy-agent` delegate to
`proxy-from-env`, which will leverage values in `HTTPS?_PROXY` and
NO_PROXY correctly.

Fixes #7121
njlynch pushed a commit that referenced this issue Oct 11, 2021
@ryparker @njlynch
fix(aws-eks,sdk-provider): full proxy support (#16840)
a0d9970 
## Summary

CDK was extracting the value of HTTPS?_PROXY and passing this to proxy-agent explicitly, which resulted in not honoring the NO_PROXY setting.

This removes that behavior and lets proxy-agent delegate to proxy-from-env, which will leverage values in HTTPS?_PROXY and NO_PROXY correctly.

Tested by deploying [this sample repo](https:/ryparker/aws-cdk-sample-eks) and monitoring Squid proxy logs while triggering the "onEvent" Lambda.

Fixes #7121
Related PRs: #16751, #16751

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@TikiTDO
fix: CDK does not honor NO_PROXY settings (aws#16751)
01742bf 
CDK was extracting the value of `HTTPS?_PROXY` and passing this to
`proxy-agent` explicitly, which resulted in not honoring the `NO_PROXY`
setting.

This removes that behavior and lets `proxy-agent` delegate to
`proxy-from-env`, which will leverage values in `HTTPS?_PROXY` and
NO_PROXY correctly.

Fixes aws#7121
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@ryparker @TikiTDO
fix(aws-eks,sdk-provider): full proxy support (aws#16840)
dd6f228 
## Summary

CDK was extracting the value of HTTPS?_PROXY and passing this to proxy-agent explicitly, which resulted in not honoring the NO_PROXY setting.

This removes that behavior and lets proxy-agent delegate to proxy-from-env, which will leverage values in HTTPS?_PROXY and NO_PROXY correctly.

Tested by deploying [this sample repo](https:/ryparker/aws-cdk-sample-eks) and monitoring Squid proxy logs while triggering the "onEvent" Lambda.

Fixes aws#7121
Related PRs: aws#16751, aws#16751

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
6 participants
@RomainMuller @rix0rrr @jia2 @udondan @riskersen @SomayaB