CDK Bootstrap custom roles: Cross account KMS policy using custom role
See original GitHub issueGeneral Issue
CDK Bootstrap custom roles
The Question
Hey CDK lovers,
I am setting up a multi-account/multi-region deployment. First of all, I need to bootstrap the environments from a template where all the roles created during my bootstrap is under the path “/bounded/“. Once I bootstrap the environments I need to deploy them using my execution role created during the boostrap with the path “/bounded/” added, like this:
arn:aws:iam::123456789:role/bounded/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1
And I am getting this error when deploy:
cdk deploy --role-arn arn:aws:iam::123456789:role/bounded/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
PipelineStack: deploying...
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[0%] start: Publishing 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-file-publishing-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[100%] success: Published 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
PipelineStack: creating CloudFormation changeset...
12:07:41 PM | CREATE_FAILED | AWS::KMS::Key | PipelineArtifactsB...ryptionKeyF5BF0670
Resource handler returned message: "An ARN in the specified key policy is invalid. (Service: Kms, Status Code: 400, Request ID: 5231f305-e13f-4eb9-96b3-d22220609d21, Extended Request ID: null)" (RequestToken: cb3b51b0-3476-c848-d39c-026fd2c026a2, HandlerErrorCode: Inva
lidRequest)
Looking the change set for the KMS is like:
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1"
]
]
}
},
"Resource": "*"
},
where the Role used on the principal is
:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1
and I was expecting to use
:iam::123456789:role/bounded/cdk-hnb659fds-deploy-role-123456789-eu-west-1
CDK CLI Version
1.125.0
Framework Version
No response
Node.js Version
No response
OS
MAC
Language
Python
Language Version
3.9.7
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:5 (2 by maintainers)
Top GitHub Comments
If you change the role names, you need to pass them into the StackSynthesizer: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html#bootstrapping-custom-synth
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.