Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Error during codepipeline build when cdk.contest.json is removed
See original GitHub issueThe Question
With #8905 being fixed I tried to remove the local cdk.context.json from one of my pipelines and re bootstrapped each account but received the following error for each account/stage I was deploying to (accounts and other variables replaced, note ${AWS::Partition} was not resolved):
Could not assume role in target account using current credentials (which are for account <pipeline account>) User: arn:aws:sts::pipeline_account:assumed-role/MyPipeline-PipelineBuildSynthCdkBuildProjec-GZQLAFL0MUF7/AWSCodeBuild-3755ba61-9da9-498b-8282-307bc9a94fcb is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam:🔢role/cdk-xyz789abc-lookup-role-1234-us-east-1 . Please make sure that this role exists in the account. If it doesn’t exist, (re)-bootstrap the environment with the right ‘–trust’, using the latest version of the CDK CLI.
I was able to get around the issue by setting the synth in my stage class
export class MyStage extends Stage {
constructor(scope: Construct, id: string, props?: StageProps) {
super(scope, id, props);
const LOOKUP_ROLE_ARN = `arn:aws:iam::${this.account}:role/cdk-\${Qualifier}-lookup-role-${this.account}-${this.region}`;
new Stack(this, 'MyStack, {
synthesizer: new DefaultStackSynthesizer({
lookupRoleArn: LOOKUP_ROLE_ARN,
}),
});
But I’m not sure why the default role isn’t working
I also had to add permission for MyPipeline-PipelineBuildSynthCdkBuildProjec-GZQLAFL0MUF7 to sts:AssumeRole
Environment
- CDK CLI Version: 1.108.1
- Module Version: 1.108.1
- Node.js Version: 16.3.0
- OS:
- Language: TypeScript
Other information
related to #8905
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
You are correct! We identified the issue and working to resolve it.
Good day everyone.
I am trying add custom domains/certificates in a cognito construct, in a Multi account enviroment with pipelines. The pipelines works ok with bootstraping credentials trusted, but when I am trying do a lookup in a existent route53 domain, I get the next error.
My actual version of CLI/CDK is nearly to newest,
cdk version 1.129.0 (build fb43f89)
aws --version aws-cli/1.20.64 Python/3.6.0 Windows/10 botocore/1.21.64
My CDK Code:
const myCompanyHostedZone = route53.HostedZone.fromLookup(this, ‘StagZone’, { domainName: ‘dev.company.ai’ }); const myCompanyCertificate = new acm.Certificate(this, ‘Certificate’, { domainName:
auth.dev.company.ai, validation: acm.CertificateValidation.fromDns(myCompanyHostedZone) });CODEPIPELINE ERROR:
[Container] 2021/11/07 18:53:53 Running command npx cdk synth
[Error at /CompCdkAppMainPipelineStack/Production/Production-CognitoStack] Could not assume role in target account using current credentials (which are for account 111111111) User: arn:aws:sts::111111111:assumed-role/CompCdkAppMainPipelineSt-PipelineBuildSynthCdkBui-BQ6WX4UE3CUW/AWSCodeBuild-95d9afb6-06f3-4d44-85c5-74ee3331caa8 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222:role/cdk-hnb659fds-lookup-role-222222222-eu-west-2 . Please make sure that this role exists in the account. If it doesn’t exist, (re)-bootstrap the environment with the right ‘–trust’, using the latest version of the CDK CLI.
Thx in advance to all, I love CDK!!.