(cli): cross account deployments still don't work
See original GitHub issueReproduction Steps
CI account: 0147xxxxxxxx Target account: 1454xxxxxxx
Target account is bootstrapped to trust CI account with --trust 0147xxxxxxxx
. IAM user in CI account graned permission iam:AssumeRole
to all roles created by bootstrap stack.
Create CDK app with environment in target account and an S3 asset:
...
new Stack(app, 'Stack', { env: {account: "1454xxxxxxx", region: "eu-west-2" }});
...
Do cdk deploy
from CI account.
What did you expect to happen?
Successfull deploy
What actually happened?
If we try to deploy it with cdk deploy -v
following happens:
OrganizationStack
OrganizationStack: deploying...
Looking up default account ID from STS
Default account ID: 0147xxxxxx
Assuming role 'arn:aws:iam::1454xxxxxx:role/cdk-hnb659fds-deploy-role-1454xxxxx-eu-west-2'.
Waiting for stack CDKToolkit to finish creating or updating...
[0%] start: Publishing 4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956:145469417702-eu-west-2
[50%] fail: Need to perform AWS calls for account 1454xxxxxxx, but the current credentials are for 0147xxxxxx
[50%] start: Publishing 97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603:145469417702-eu-west-2
[100%] fail: Need to perform AWS calls for account 1454xxxxxxxx, but the current credentials are for 0147xxxxxx
Environment
- CDK CLI Version : 1.78.-
- Framework Version:
- Node.js Version: 14
- OS : Linux
- Language (Version): Typescript
Other
Interestingly, cdk-assets
uploads just fine. Exact commands when run from CI:
- yarn add -D aws-cdk@1.78.0
- node_modules/.bin/cdk synth --verbose
- node_modules/.bin/cdk-assets publish -p cdk.out/OrganizationStack.assets.json -v
- node_modules/.bin/cdk deploy --require-approval=never --all --verbose
Produce following output (tail):
$ node_modules/.bin/cdk synth --verbose
Successfully synthesized to /data/build/X-WKy9gs/0/dir/devops/iac/organization/cdk.out
Supply a stack id (OrganizationStack, SingleSignOnStack) to display its template.
$ node_modules/.bin/cdk-assets publish -p cdk.out/OrganizationStack.assets.json -v
verbose: Loaded manifest from cdk.out/OrganizationStack.assets.json: 2 assets found
info : [0%] start: Publishing 4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956:1454xxxxxxx-eu-west-2
verbose: Assume arn:aws:iam::1454xxxxxxx:role/cdk-hnb659fds-file-publishing-role-1454xxxxxxx-eu-west-2
verbose: [0%] check: Check s3://cdk-hnb659fds-assets-1454xxxxxxx-eu-west-2/4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956.zip
verbose: [0%] found: Found s3://cdk-hnb659fds-assets-1454xxxxxxx-eu-west-2/4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956.zip
info : [50%] success: Published 4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956:1454xxxxxxx-eu-west-2
info : [50%] start: Publishing 97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603:1454xxxxxxx-eu-west-2
verbose: Assume arn:aws:iam::1454xxxxxxx:role/cdk-hnb659fds-file-publishing-role-1454xxxxxxx-eu-west-2
verbose: [50%] check: Check s3://cdk-hnb659fds-assets-1454xxxxxxx-eu-west-2/97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603
verbose: [50%] upload: Upload s3://cdk-hnb659fds-assets-1454xxxxxxx-eu-west-2/97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603
info : [100%] success: Published 97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603:1454xxxxxxx-eu-west-2
$ node_modules/.bin/cdk deploy --require-approval=never --all --verbose
...
OrganizationStack
OrganizationStack: deploying...
Looking up default account ID from STS
Default account ID: 0147xxxxxxx
Assuming role 'arn:aws:iam::1454xxxxxxx:role/cdk-hnb659fds-deploy-role-1454xxxxxxx-eu-west-2'.
Waiting for stack CDKToolkit to finish creating or updating...
[0%] start: Publishing 4a3609ad912843e581892f37ae9d6fb0fa1648b547693aaa562b0119452b8956:1454xxxxxxx-eu-west-2
[50%] fail: Need to perform AWS calls for account 1454xxxxxxx, but the current credentials are for 0147xxxxxxx
[50%] start: Publishing 97b2255ceb5577d4534d825ed8407ced52d0f8917ce15f7a76d5c47aba9bd603:1454xxxxxxx-eu-west-2
[100%] fail: Need to perform AWS calls for account 1454xxxxxxx, but the current credentials are for 0147xxxxxxx
Looks like fix done in https://github.com/aws/aws-cdk/pull/11966 is incomplete.
/cc @rix0rrr , @scarytom , @polothy
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:5 (3 by maintainers)
Top Results From Across the Web
General troubleshooting issues - AWS CodeDeploy
If you do not see or cannot access applications, deployment groups, instances, or other deployment resources from the AWS CLI or the CodeDeploy...
Read more >AWS CDK Cross Account Lambda Deployment Permission ...
The problem is with your AWS CLI configuration. You cannot use the CDK CLI natively to deploy resources in two separate accounts with...
Read more >Walk through AWS CDK Cross Account Deployments with ...
Your browser can't play this video. Learn more. Switch camera.
Read more >Working with Cross Account Roles in AWS - Adobe Tech Blog
Now it's time to prepare the AWS credentials file (normally present under ~/.aws/credentials) for accessing the S3 bucket using AWSCLi. Below is how...
Read more >How to deploy resources with Bicep and Azure CLI
This section describes deploying a local Bicep file. If you're deploying to a resource group that doesn't exist, create the resource group. The ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Maybe no one will see this comment, but I was just able to deploy cross account with no plugins 🎉
Thanks @redbaron and @rix0rrr for fixing this!
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.