Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CDK Bootstrap custom roles: Cross account KMS policy using custom role
See original GitHub issueGeneral Issue
CDK Bootstrap custom roles
The Question
Hey CDK lovers,
I am setting up a multi-account/multi-region deployment. First of all, I need to bootstrap the environments from a template where all the roles created during my bootstrap is under the path “/bounded/“. Once I bootstrap the environments I need to deploy them using my execution role created during the boostrap with the path “/bounded/” added, like this:
arn:aws:iam::123456789:role/bounded/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1
And I am getting this error when deploy:
cdk deploy --role-arn arn:aws:iam::123456789:role/bounded/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
PipelineStack: deploying...
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[0%] start: Publishing 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
current credentials could not be used to assume 'arn:aws:iam::123456789:role/cdk-hnb659fds-file-publishing-role-123456789-eu-west-1', but are for the right account. Proceeding anyway.
[100%] success: Published 56e2426bf4d4a92be53727c5223486ee405145c593fb69a55ae871cd5d6f8e06:123456789-eu-west-1
PipelineStack: creating CloudFormation changeset...
12:07:41 PM | CREATE_FAILED | AWS::KMS::Key | PipelineArtifactsB...ryptionKeyF5BF0670
Resource handler returned message: "An ARN in the specified key policy is invalid. (Service: Kms, Status Code: 400, Request ID: 5231f305-e13f-4eb9-96b3-d22220609d21, Extended Request ID: null)" (RequestToken: cb3b51b0-3476-c848-d39c-026fd2c026a2, HandlerErrorCode: Inva
lidRequest)
Looking the change set for the KMS is like:
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1"
]
]
}
},
"Resource": "*"
},
where the Role used on the principal is
:iam::123456789:role/cdk-hnb659fds-deploy-role-123456789-eu-west-1
and I was expecting to use
:iam::123456789:role/bounded/cdk-hnb659fds-deploy-role-123456789-eu-west-1
CDK CLI Version
1.125.0
Framework Version
No response
Node.js Version
No response
OS
MAC
Language
Python
Language Version
3.9.7
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
If you change the role names, you need to pass them into the StackSynthesizer: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html#bootstrapping-custom-synth
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.