Error during codepipeline build when cdk.contest.json is removed
See original GitHub issueThe Question
With #8905 being fixed I tried to remove the local cdk.context.json from one of my pipelines and re bootstrapped each account but received the following error for each account/stage I was deploying to (accounts and other variables replaced, note ${AWS::Partition} was not resolved):
Could not assume role in target account using current credentials (which are for account <pipeline account>) User: arn:aws:sts::pipeline_account:assumed-role/MyPipeline-PipelineBuildSynthCdkBuildProjec-GZQLAFL0MUF7/AWSCodeBuild-3755ba61-9da9-498b-8282-307bc9a94fcb is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam:🔢role/cdk-xyz789abc-lookup-role-1234-us-east-1 . Please make sure that this role exists in the account. If it doesn’t exist, (re)-bootstrap the environment with the right ‘–trust’, using the latest version of the CDK CLI.
I was able to get around the issue by setting the synth in my stage class
export class MyStage extends Stage {
constructor(scope: Construct, id: string, props?: StageProps) {
super(scope, id, props);
const LOOKUP_ROLE_ARN = `arn:aws:iam::${this.account}:role/cdk-\${Qualifier}-lookup-role-${this.account}-${this.region}`;
new Stack(this, 'MyStack, {
synthesizer: new DefaultStackSynthesizer({
lookupRoleArn: LOOKUP_ROLE_ARN,
}),
});
But I’m not sure why the default role isn’t working
I also had to add permission for MyPipeline-PipelineBuildSynthCdkBuildProjec-GZQLAFL0MUF7 to sts:AssumeRole
Environment
- CDK CLI Version: 1.108.1
- Module Version: 1.108.1
- Node.js Version: 16.3.0
- OS:
- Language: TypeScript
Other information
related to #8905
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top GitHub Comments
You are correct! We identified the issue and working to resolve it.
Good day everyone.
I am trying add custom domains/certificates in a cognito construct, in a Multi account enviroment with pipelines. The pipelines works ok with bootstraping credentials trusted, but when I am trying do a lookup in a existent route53 domain, I get the next error.
My actual version of CLI/CDK is nearly to newest,
cdk version 1.129.0 (build fb43f89)
aws --version aws-cli/1.20.64 Python/3.6.0 Windows/10 botocore/1.21.64
My CDK Code:
const myCompanyHostedZone = route53.HostedZone.fromLookup(this, ‘StagZone’, { domainName: ‘dev.company.ai’ }); const myCompanyCertificate = new acm.Certificate(this, ‘Certificate’, { domainName:
auth.dev.company.ai
, validation: acm.CertificateValidation.fromDns(myCompanyHostedZone) });CODEPIPELINE ERROR:
[Container] 2021/11/07 18:53:53 Running command npx cdk synth
[Error at /CompCdkAppMainPipelineStack/Production/Production-CognitoStack] Could not assume role in target account using current credentials (which are for account 111111111) User: arn:aws:sts::111111111:assumed-role/CompCdkAppMainPipelineSt-PipelineBuildSynthCdkBui-BQ6WX4UE3CUW/AWSCodeBuild-95d9afb6-06f3-4d44-85c5-74ee3331caa8 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222:role/cdk-hnb659fds-lookup-role-222222222-eu-west-2 . Please make sure that this role exists in the account. If it doesn’t exist, (re)-bootstrap the environment with the right ‘–trust’, using the latest version of the CDK CLI.
Thx in advance to all, I love CDK!!.