Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[CLI] cdk deploy doesn't work after force upgrading to the new bootstrap version

See original GitHub issue

I upgraded to cdk 1.61 and got asked to upgrade my bootstrap version from 3 to 4, which at first failed as described here, only I didn’t wait for the fix and force upgraded.

If I run cdk diff I get the following output (with out the changes I made, only the ones relating to the bootstrap):

Stack wm
IAM Statement Changes
β”‚   β”‚ Resource                                 β”‚ Effect β”‚ Action                                   β”‚ Principal                                  β”‚ Condition β”‚
β”‚ - β”‚ {"Fn::ImportValue":"CdkBootstrap-hnb659f β”‚ Allow  β”‚ kms:Decrypt                              β”‚ AWS:${Custom::CDKBucketDeployment8693BB649 β”‚           β”‚
β”‚   β”‚ ds-FileAssetKeyArn"}                     β”‚        β”‚ kms:DescribeKey                          β”‚ 68944B69AAFB0CC9EB8756C/ServiceRole}       β”‚           β”‚
(NOTE: There may be security-related changes not in this list. See

[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store."}

[~] AWS::IAM::Policy Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -35,16 +35,6 @@
            [ ] },
            [ ] {
            [ ]   "Action": [
            [-]     "kms:Decrypt",
            [-]     "kms:DescribeKey"
            [-]   ],
            [-]   "Effect": "Allow",
            [-]   "Resource": {
            [-]     "Fn::ImportValue": "CdkBootstrap-hnb659fds-FileAssetKeyArn"
            [-]   }
            [-] },
            [-] {
            [-]   "Action": [
            [ ]     "s3:GetObject*",
            [ ]     "s3:GetBucket*",
            [ ]     "s3:List*",
[~] AWS::Lambda::Function LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A 
 └─ [~] Metadata
     β”œβ”€ [-] Removed: .aws:asset:path
     └─ [-] Removed: .aws:asset:property

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 4 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}

when I run cdk deploy I get the following error message:

 ❌  wm failed: Error [ValidationError]: AccessDenied. User doesn't have permission to call ssm:GetParameters
    at Request.extractError (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/usr/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'ValidationError',
  time: 2020-08-28T15:20:02.851Z,
  requestId: '629a101e-a63a-43c7-8f45-dc70bbeba284',
  statusCode: 400,
  retryable: false,
  retryDelay: 743.7164270441746
AccessDenied. User doesn't have permission to call ssm:GetParameters


  • **CLI Version : 1.16.1
  • **Framework Version: 1.16.1
  • **Node.js Version: v12.18.3
  • **OS : ubuntu 20.4
  • **Language (Version): ts

This is πŸ› Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:2
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

shivlakscommented, Aug 28, 2020

you might want to try running bootstrap again (without the force and with cloudformation-execution-policies created)

Your CdkToolkit (or whatever you named your bootstrap stack) should have a resource called CloudFormationExecutionRole - can you check the AdministratorAccess policy is attached to it?

I’m guessing it’s empty. We should probably add validation here to prevent users from getting into this scenario.

You can run bootstrap again to get that updated

cdk bootstrap --context @aws-cdk/core:newStyleStackSynthesis=1 --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://accountid/region

Your cdk deploy should work after that. let me know how it goes!

jonny-rimekcommented, Aug 28, 2020

My CloudFormationExecutionRole did indeed not have any policy attached to it running cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess fixed it.

thanks for your help

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshooting common AWS CDK issues
This topic describes how to troubleshoot the following issues with the AWS CDK. After updating the AWS CDK, the AWS CDK Toolkit (CLI)...
Read more >
How to upgrade CDK bootstrapping? - Stack Overflow
I'm already running bootstrap with the latest CDK version. How do I upgrade the bootstrap version? I've now deleted the "CDKToolkit" stack andΒ ......
Read more >
AWS CDK Toolkit - npm
CDK Toolkit, the command line tool for CDK apps. Latest version: 2.56.0, last published: 11 hours ago. Start using aws-cdk in your project...
Read more >
What does CDK Bootstrap do | bobbyhadz
CDK bootstrap creates a CloudFormation stack with an S3 bucket that stores ... provisioning IAM roles the CDK CLI needs in order to...
Read more >
How to install AWS CDK (step-by-step guide)
As you can see, the AWS CDK is running on version 2 (v2). Version 1 entered maintenance on June 1, 2022. If you...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found