(aws-eks): Unable to deploy EKS cluster in HongKong Region (ap-east-1), probably all regions not enabled by default

[XuejiaoZhang]

In AWS HongKong region (ap-east-1), creating an EKS cluster with cdk failed, with this error message:

Received response status [FAILED] from custom resource. Message returned: The security token i
ncluded in the request is invalid

Logs: /aws/lambda/eks-demo-2-awscdkawseksClus-OnEventHandler42BEBAE0-9nhDwCQIt400
at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)
...
at Request.<**anonymous**> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
...

Reproduction Steps

EKS stack

import iam = require('@aws-cdk/aws-iam');
import ec2 = require('@aws-cdk/aws-ec2');
import eks = require('@aws-cdk/aws-eks');
import cdk = require('@aws-cdk/core');

export class EksTsDemoStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromVpcAttributes(this, 'vpc', {
      vpcId: 'vpc-XXX',
      availabilityZones: ['ap-east-1a', 'ap-east-1b'],
      privateSubnetIds: [
         'subnet-XXX',
         'subnet-XXX'
      ],
      publicSubnetIds: [
         'subnet-XXX',
         'subnet-XXX'
      ]
    });

    const eksCluster = new eks.Cluster(this, 'Cluster', {
      vpc: vpc,
      defaultCapacity: 0, 
      version: eks.KubernetesVersion.V1_16,
    });

}

Run

$ cdk synth
$ cdk deploy

What did you expect to happen?

EKS cluster to be successfully created.

What actually happened?

Failed to create resource EKS cluster

Environment

• CDK CLI Version : 1.113.0
• Framework Version:
• Node.js Version: v13.10.1
• OS : MacOS
• Language (Version): TypeScript and Python

Other

Potential cause: the STS endpoint problem
Similar issue with the same potential cause (aws-eks): Unable to deploy cluster in regions that are not enabled by default

Workaround

Refer to (aws-eks): Unable to deploy cluster in regions that are not enabled by default
Apply an aspect that injects that environment variable to all lambda functions associated with the cluster:
TS code

cdk.Aspects.of(cdk.Stack.of(eksCluster)).add({
  visit: (node: cdk.IConstruct) => {
    if (node instanceof lambda.CfnFunction) {
      node.addPropertyOverride('Environment.Variables.AWS_STS_REGIONAL_ENDPOINTS', 'regional')
    }
  }
})

Python code

import jsii
 
@jsii.implements(core.IAspect)
class LambdaSTSEndpoint:
   
  def visit(self, node):
    # See that we're dealing with a CfnBucket
    if isinstance(node, aws_lambda.CfnFunction):
        node.add_property_override('Environment.Variables.AWS_STS_REGIONAL_ENDPOINTS', 'regional')

…
 
        core.Aspects.of(core.Stack.of(cluster)).add(LambdaSTSEndpoint())

---

This is 🐛 Bug Report

[otaviomacedo]

Hi, @XuejiaoZhang

Thanks for reporting this. I am unassigning and marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.