[CLI] cdk deploy doesn't work after force upgrading to the new bootstrap version
See original GitHub issueI upgraded to cdk 1.61 and got asked to upgrade my bootstrap version from 3 to 4, which at first failed as described here https://github.com/aws/aws-cdk/issues/10016, only I didnβt wait for the fix and force upgraded.
If I run cdk diff I get the following output (with out the changes I made, only the ones relating to the bootstrap):
Stack wm
IAM Statement Changes
βββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬βββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββ
β β Resource β Effect β Action β Principal β Condition β
βββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββ€
β - β {"Fn::ImportValue":"CdkBootstrap-hnb659f β Allow β kms:Decrypt β AWS:${Custom::CDKBucketDeployment8693BB649 β β
β β ds-FileAssetKeyArn"} β β kms:DescribeKey β 68944B69AAFB0CC9EB8756C/ServiceRole} β β
βββββ΄βββββββββββββββββββββββββββββββββββββββββββ΄βββββββββ΄βββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββ
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store."}
Resources
[~] AWS::IAM::Policy Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF
ββ [~] PolicyDocument
ββ [~] .Statement:
ββ @@ -35,16 +35,6 @@
[ ] },
[ ] {
[ ] "Action": [
[-] "kms:Decrypt",
[-] "kms:DescribeKey"
[-] ],
[-] "Effect": "Allow",
[-] "Resource": {
[-] "Fn::ImportValue": "CdkBootstrap-hnb659fds-FileAssetKeyArn"
[-] }
[-] },
[-] {
[-] "Action": [
[ ] "s3:GetObject*",
[ ] "s3:GetBucket*",
[ ] "s3:List*",
[~] AWS::Lambda::Function LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A
ββ [~] Metadata
ββ [-] Removed: .aws:asset:path
ββ [-] Removed: .aws:asset:property
Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 4 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}
when I run cdk deploy I get the following error message:
β wm failed: Error [ValidationError]: AccessDenied. User doesn't have permission to call ssm:GetParameters
at Request.extractError (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'ValidationError',
time: 2020-08-28T15:20:02.851Z,
requestId: '629a101e-a63a-43c7-8f45-dc70bbeba284',
statusCode: 400,
retryable: false,
retryDelay: 743.7164270441746
}
AccessDenied. User doesn't have permission to call ssm:GetParameters
Environment
- **CLI Version : 1.16.1
- **Framework Version: 1.16.1
- **Node.js Version: v12.18.3
- **OS : ubuntu 20.4
- **Language (Version): ts
This is π Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Troubleshooting common AWS CDK issues
This topic describes how to troubleshoot the following issues with the AWS CDK. After updating the AWS CDK, the AWS CDK Toolkit (CLI)...
Read more >How to upgrade CDK bootstrapping? - Stack Overflow
I'm already running bootstrap with the latest CDK version. How do I upgrade the bootstrap version? I've now deleted the "CDKToolkit" stack andΒ ......
Read more >AWS CDK Toolkit - npm
CDK Toolkit, the command line tool for CDK apps. Latest version: 2.56.0, last published: 11 hours ago. Start using aws-cdk in your project...
Read more >What does CDK Bootstrap do | bobbyhadz
CDK bootstrap creates a CloudFormation stack with an S3 bucket that stores ... provisioning IAM roles the CDK CLI needs in order to...
Read more >How to install AWS CDK (step-by-step guide)
As you can see, the AWS CDK is running on version 2 (v2). Version 1 entered maintenance on June 1, 2022. If you...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
you might want to try running bootstrap again (without the force and with cloudformation-execution-policies created)
Your
CdkToolkit
(or whatever you named your bootstrap stack) should have a resource calledCloudFormationExecutionRole
- can you check theAdministratorAccess
policy is attached to it?Iβm guessing itβs empty. We should probably add validation here to prevent users from getting into this scenario.
You can run bootstrap again to get that updated
Your
cdk deploy
should work after that. let me know how it goes!My CloudFormationExecutionRole did indeed not have any policy attached to it running
cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
fixed it.thanks for your help