Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot run cdk deploy without setting AdministratorAccess policy

See original GitHub issue

❓ General Issue

The Question

We are currently using aws cdk in our release pipeline(we are using cdk deploy command inside an aws codebuid project) but i am struggling to find a way to deploy without giving administratorAccess to the policy attached to the codebuild project. It also would be useful for us to have a more fine grained policy to limit the change on stacks that are not supposed to change and so on…

I tried to attach this policy to give permissions on cloudformation changes but it seems that is not enough:

{
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": "cloudformation:*",
    "Resource": "*"
}

This is the output of the cdk deploy command in this case:

dev-MyStack 
dev-MyStack: deploying... 

 ❌  dev-MyStack failed: Forbidden: null 
null

Environment

CDK CLI Version: 1.6.0
Module Version:
OS: aws codebuild ubuntu
Language: typescript

Other information

There is a related stackoverflow question open:

https://stackoverflow.com/questions/57118082/what-iam-permissions-are-needed-to-use-cdk-deploy

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

jokosocommented, Oct 24, 2019

I ran into this issue yesterday, wanting to follow least privilege on our CI server, and stumbled upon #4039. The profile used by our CI server needing access to the cdktoolkit-stagingbucket-* bucket on S3 seems to be what was causing the Forbidden: null error.

0reactions

skinny85commented, Mar 19, 2020

This is possible by using the --role-arn switch to cdk deploy.

I’m resolving this one, feel free to re-open if you have any more questions.

Top Results From Across the Web

Bootstrapping - AWS Cloud Development Kit (AWS CDK) v2

To avoid deployment failures, be sure the policies that you specify are sufficient for any deployments you will perform in the environment being...

Least deployment privilege with CDK Bootstrap - Better Dev

By default, CDK uses AdministratorAccess Policy for deploying resources. That's far from the "least privilege" principle.

credentials can not be used to assume new style deployment ...

You will need to add permission to assume the role to the credentials from which you are trying to execute cdk deploy

Hey CDK, how do cross-account deployments work?

config file). The role has ReadOnlyAccess permissions and an explicit deny on KMS so that it can't access encrypted data! CloudFormation ...

@aws-cdk/pipelines - npm

--cloudformation-execution-policies : ARN of the managed policy that future CDK deployments should execute with. By default this is AdministratorAccess , but if ...