Shortcut for AWS CDK credentials: insanely simple setup for SSO, SAML, and named profiles


All of us love CDK! Don’t all of us? Since its introduction, we’ve lastly received a Typescript software to jot down IaC on AWS exactly and structured for serverless functions.

However there’s a essential level that isn’t as agile because it could possibly be: native credentials administration.

There isn’t a easy solution to re-use the identical template in numerous environments with out writing complicated scripts and extensively utilizing setting variables.

One other level is that you’re normally certain to long-term credentials more often than not, and that could be a potential safety menace.

Lastly, in keeping with the documentation, CDK partially supports Single Sign-on credentials. See this subject.

Not just for SSO however presently, there are nonetheless some open points that may doubtlessly be addressed utilizing Leapp.

For instance, this subject requests MFA caching. At the moment, CDK prompts the consumer for MFA code each time a request is issued. Leapp can keep away from this because it accurately caches credentials till the session token is expired.

Moreover, inconsistency points like this one are simply averted as Leapp manages the credentials file for you.

However concern not! This text will present you how one can enhance your CDK templates by making sensible use of our open-source tool.

You’ll see that it’s potential to automate credentials era exterior the template  retaining it drier and extra easy  use SSO and having multiple credential set energetic concurrently. This reduces the likelihood to deploy to the incorrect setting to zero through the use of named profiles.

Now we have ready a easy check case that you may comply with alongside to know what are the probabilities and what you are able to do in your personal mission. Let’s start!

All of it begins with a easy instance

To higher perceive what benefits our software can provide to a developer, we wish to present you snippets of CDK code and terminal instructions with out and with Leapp.

Our instance consists of a CDK template to deploy the identical S3 bucket in two completely different accounts. Even when very trivial, its goal is to show how one can simplify your code by introducing Leapp into your developer routine.


When utilizing CDK you first should bootstrap the AWS environments that you just wish to deploy your infrastructure in, for those who haven’t already. With out Leapp, you’d usually use this cdk bootstrap command, as recommended by official AWS documentation:

cdk bootstrap aws://ACCOUNT-NUMBER-1/REGION-1 aws://ACCOUNT-NUMBER-2/REGION-2
Enter fullscreen mode

Exit fullscreen mode

On this instance, we bootstrapped each the accounts you’ll want in a single command. The workload is error-prone, not protected, and may change into very troublesome to handle if it is advisable bootstrap a number of them.

With Leapp, you want a number of periods already arrange (don’t know how one can? Test it here!). Go to the desktop app, choose your session and double click on it.

You too can change the area and named profile for that session. Left-click on it and choose Change → Area/Named Profile

Now you’ll be able to sort cdk bootstrap and CDK will routinely bootstrap the session with the default named profile within the area that you just chosen. When bootstrapping a number of accounts, or for those who’re not utilizing the default named profile, add the flag cdk bootstrap --profile NAMED_PROFILE

For those who don’t wish to go away your terminal, you should utilize the newly launched Leapp CLI!

Use the command leapp session begin to pick out which session to start out, change its area and named profile if it is advisable with leapp session change-region and leapp session change-profile and then you definately’re set!


Synth and Deploy

Very first thing first! For our instance to deploy correctly, if you instantiate your CDK stack, be sure to set env in your props to the next worth:

    account: ***course of.***env.CDK_DEFAULT_ACCOUNT, 
    area: ***course of***.env.CDK_DEFAULT_REGION
Enter fullscreen mode

Exit fullscreen mode


In a default CDK mission created utilizing cdk init, you could find this file contained in the bin folder, and it’s additionally referenced within the cdk.json file.

As soon as the whole lot’s prepared and the accounts are correctly bootstrapped, begin your periods in Leapp as you probably did for the bootstrap step. Keep in mind to vary area and named profile accordingly. If you wish to cut back the opportunity of error to the minimal, you’ll be able to programmatically do this in a script utilizing customized flags. Test the Bonus part!

cdk deploy will deploy within the default named profile session you set in Leapp.

cdk deploy --profile NAMED_PROFILE will deploy in a special named profile as a substitute.

Use Single Signal-on with CDK

As we stated earlier than, CDK solely partially helps credentials generated by AWS Single Signal-on, BUT with Leapp it’s potential to beat this limitation. And with out altering something in your scripts too!

It’s important to create an *integration *****in Leapp, such as you would for an AWS session. See the video under:


By doing so, you’ll get better all of your Group accounts and roles; now you simply have to start out certainly one of your SSO periods and Leapp will create short-lived credentials fully appropriate with CDK!

Growth! Now you’re utilizing SSO with CDK with out trouble!

Credential Course of

All of the examples proven till now are based mostly on short-lived credentials, which is superior, however even when short-term, you’re nonetheless leaving an open door to potential attackers: credentials in AWS information are nonetheless in plain textual content and subsequently exploitable.

To beat this subject AWS additionally provides the flexibility to generate credentials on the fly, proper earlier than issuing an SDK or CLI command. This function known as credential process!

[profile default]
credential_process = leapp session generate SESSIONID
Enter fullscreen mode

Exit fullscreen mode

Leapp overwrites the AWS config file command by including the right session ID for you and utilizing its CLI to generate credentials rather than AWS.

By doing this, each time CDK must entry a number of SDK instructions, Leapp will routinely subject legitimate credentials, with out writing something in your information!

And naturally, it really works with named profiles too!

Bonus: Tips on how to use Leapp CLI to automate CDK deploy

Leapp comes with a CLI, which permits to automate all of the actions you are able to do with the Desktop App through flags.

On this easy snippet we wish to present you how one can create a named profile, affiliate it with a brand new AWS IAM User session, begin that session and deploy your infrastructure, by setting a profile identify beforehand.

&& leapp profile create --profileName $PROFILE_NAME 
&& PROFILE_ID=$(leapp profile listing -x | grep $PROFILE_NAME | awk '{print $1}') 
&& leapp session add 
    --providerType aws 
    --sessionType awsIamUser 
    --profileId $PROFILE_ID 
    --sessionName MY-SESSION-NAME 
    --region eu-west-1 
    --accessKey ACCESSKEY 
    --secretKey SECRETKEY 
&& SESSION_ID=$(leapp session listing -x | grep 'MY-SESSION-NAME' | awk '{print $1}') 
&& leapp session begin --sessionId $SESSION_ID 
&& cdk deploy --profile $PROFILE_NAME
Enter fullscreen mode

Exit fullscreen mode

To conclude

On this article, we’ve seen how one can enhance the safety of your CDK templates by leveraging Leapp as your credential administration system.

By utilizing Leapp, you don’t want to jot down any lengthy or short-lived credential neither in your credential (or config) file nor setting variables. And through the use of the credential course of function you don’t want credentials in any respect!

Now we have proven how CDK helps named profiles which is a function additionally managed by Leapp, so you’ll be able to maintain all of your credentials energetic concurrently, decreasing the context swap between your IDE and Leapp.

Now we have showcased some scripts that allow you to combine your CDK work routine with Leapp CLI to simplify your day by day operations even additional.

Because of Leapp producing short-term credentials from AWS SSO periods, now we have seen that you’re additionally not directly enabling Single Signal-on.

We hope that these slight enhancements will make your day-by-day work simpler. So, what are you planning on doing with CDK? Do you could have any strategies on how we will enhance Leapp? Come say “hello” in our community!

Till subsequent time, goodbye and keep protected 😷

Noovolari group.

Add a Comment

Your email address will not be published. Required fields are marked *