cli: `cdk bootstrap` using temporary credentials (session) fails to create resources in CloudFormation stack

[nick96]

Describe the bug

The CloudFormation stack created via cdk bootstrap fails to create any resources when run using temporary credentials via was-vault. It fails with the error:

The security token included in the request is invalid

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

Bootstrap successfully runs using the temporary credentials.

Current Behavior

Bootstrap creates the CloudFormation stack but fails to create the resources. It then fails to rollback due to the same permissions error.

Reproduction Steps

1. Init a new project with cdk init app --language typescript
2. Update stack to set the right account ID and region
3. Run was-vault exec <profile> -- npx cdk bootstrap

Possible Solution

No response

Additional Information/Context

I was trying to bootstrap my account using the cdk bootstrap command using aws-vault for authentication. This creates a session which is passed through to the subprocess via the environment variables:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

When I ran the bootstrap just using my long lived access key (via the --no-session flag on was-vault), the CloudFormation stack was able to successfully create all the resources.

AWS CDK Library version (aws-cdk-lib)

2.206.0

AWS CDK CLI version

2.1023.0 (build 45ceb89)

Node.js Version

v24.4.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @nick96,

Thank you for reporting this issue with cdk bootstrap failing when using temporary credentials from aws-vault.

Analysis

1. CDK Bootstrap and Temporary Credentials: CDK bootstrap should work with temporary credentials, but it requires credentials that remain valid for the duration of the bootstrap process. Bootstrap involves multiple SDK operations including CloudFormation stack creation, S3 bucket setup, and IAM role creation, which can take several minutes to complete.

2. aws-vault Compatibility: aws-vault is a third-party credential management tool that is not maintained by AWS. We don't recommend using it specifically for CDK bootstrap operations due to potential compatibility issues like the one you've encountered.

Root Cause

The issue occurs because aws-vault generates temporary credentials with relatively short expiration times (typically 1 hour by default), and the bootstrap process requires credentials to remain valid throughout the entire operation. When CloudFormation attempts to create resources, the temporary credentials may have expired.

Recommended Solutions

1. Use AWS-Native Credential Sources (Recommended)

For CDK bootstrap operations, use AWS-supported credential methods:

# AWS CLI profiles with role assumption
cdk bootstrap --profile myprofile

# AWS SSO
aws sso login --profile myprofile
cdk bootstrap --profile myprofile

# Direct IAM user credentials
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
cdk bootstrap

2. aws-vault Workaround

If you prefer to continue using aws-vault, your workaround is correct:

aws-vault exec <profile> --no-session -- npx cdk bootstrap

This uses your underlying long-lived credentials directly, bypassing the temporary credential generation.

Summary

While CDK should work with temporary credentials, bootstrap operations require credentials with sufficient duration. For the most reliable experience, we recommend using AWS-native credential management for CDK bootstrap operations.

[nick96]

Thanks @pahud. This was failing within minutes, likely less than 1 minute. I'll check my config but I don't think I've changed aws-vault to use a shorter timeout.

[related-issues-bot-for-aws]

Hi @nick96,

Thanks for opening this issue! After reviewing the details, we found some other discussions that may be closely related:

Related Issues

• (CDK Bootstrap): AWS Configure authentication issue with aws configure credentials and session token #15402: Both issues involve problems with session-based temporary credentials during CDK bootstrap. While the current issue specifically deals with aws-vault generated temporary credentials failing with an "invalid security token" error during resource creation, (CDK Bootstrap): AWS Configure authentication issue with aws configure credentials and session token #15402 involved credential format handling issues. Both demonstrate different failure modes when using session tokens with CDK bootstrap rather than long-lived credentials.

• Running "cdk synth" can fail due to expired security credentials #7849: Both issues involve CDK CLI operations failing with temporary security credentials. The current issue shows bootstrap failing with "invalid security token" errors when using aws-vault credentials, while Running "cdk synth" can fail due to expired security credentials #7849 involved synth failing due to expired credentials. They share similar error patterns related to temporary credential validation failures, though in different CDK commands.

This message was generated automatically to help connect related conversations and improve discoverability

Please react with 👍 or 👎 to let us know if this response was helpful!

Thank you for helping improve CDK! 🙌