Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CDK Bootstrap custom roles: Cross account KMS policy using custom role

See original GitHub issue

General Issue

CDK Bootstrap custom roles

The Question

Hey CDK lovers,

I am setting up a multi-account/multi-region deployment. First of all, I need to bootstrap the environments from a template where all the roles created during my bootstrap is under the path “/bounded/“. Once I bootstrap the environments I need to deploy them using my execution role created during the boostrap with the path “/bounded/” added, like this:


And I am getting this error when deploy:

cdk deploy --role-arn arn:aws:iam::123456789:role/bounded/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
PipelineStack: deploying...
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[0%] start: Publishing 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-file-publishing-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[100%] success: Published 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
PipelineStack: creating CloudFormation changeset...
12:07:41 PM | CREATE_FAILED        | AWS::KMS::Key               | PipelineArtifactsB...ryptionKeyF5BF0670
Resource handler returned message: "An ARN in the specified key policy is invalid. (Service: Kms, Status Code: 400, Request ID: 5231f305-e13f-4eb9-96b3-d22220609d21, Extended Request ID: null)" (RequestToken: cb3b51b0-3476-c848-d39c-026fd2c026a2, HandlerErrorCode: Inva

Looking the change set for the KMS is like:

          "Action": [
          "Effect": "Allow",
          "Principal": {
            "AWS": {
              "Fn::Join": [
                    "Ref": "AWS::Partition"
          "Resource": "*"

where the Role used on the principal is

:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1 and I was expecting to use :iam::123456789:role/bounded/cdk-hnb659fds-deploy-role-123456789-eu-west-1

CDK CLI Version


Framework Version

No response

Node.js Version

No response





Language Version


Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

rix0rrrcommented, Nov 23, 2021

If you change the role names, you need to pass them into the StackSynthesizer:

github-actions[bot]commented, Nov 23, 2021


Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bootstrapping - AWS Cloud Development Kit (AWS CDK) v2
The file publishing role and the image publishing role are assumed by the AWS CDK Toolkit and by AWS CodeBuild projects to publish...
Read more >
Hey CDK, how do cross-account deployments work?
The file publishing role is used in cdk deploy and cdk-assets to publish file assets to S3. It allows to read and write...
Read more >
Least deployment privilege with CDK Bootstrap - Better Dev
First, we create a custom IAM Policy with access to only the services we use in our application. Then we (re)bootstrap the CDK,...
Read more >
CDK Cross-Account Pipelines - AWS in Plain English
Create Pipeline(s) using CDK deploy or CloudFormation (see below). Run the Dev prep stack again, adding the buckets and keys created in step...
Read more >
CICDPipelinePermissionsBoundary - for any roles used in CICD pipeline (e.g. ... (used when you run `cdk bootstrap`): # ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found