Home > Net >  AWS CDK deploy using role
AWS CDK deploy using role

Time:07-22

I need to deploy CDK app using a role by issuing this command

cdk -r arn:aws:iam::000000000000:role/fooRole deploy

but then an error thrown

Assuming role failed: User: arn:aws:iam::000000000000:user/fooUser is not authorized to 
perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/barRole

to be sure, I tried to simulate it by assuming the arn:aws:iam::000000000000:role/barRole role using arn:aws:iam::000000000000:role/fooRole in AWS IAM Policy Simulator and it works just fine. One thing that bothers me is that the error said that a User tried to assume the role, not Role.

Why is that? or should I assume the fooRole, update the AWS-related environment variable and then deploy? if so then what's the point of having -r option on cdk

as additional information, here's the trust relationship of the barRole

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: 000000000000:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

also I even tried to attach AdministratorAccess AWS managed policy to the fooRole used to deploy

CodePudding user response:

So there are 2 ways you might be running cdk deploy command from.

1- You're running this command from your local computer's CLI using IAM keys. In this case, this role must be assumable by the AWS account (IAM User) being used.

2- You're running this command from any AWS service (cicd agent on EC2 instance for e.g.:) then the role attached with the instance should be allowed to assume this deployment role.

mention how you're running this command and you might get a better answer.

UPDATE: Based on the updated question:

Add assume role part in your IAM USER not your deployment role. Your IAM User from which you're trying to deploy should be allowed to assume the role through which the CDK will be deployed.

To diagramise it a bit:

(IAM-USER -> Assume -> Role) -> cdk deploy

CodePudding user response:

The error is in the process of cross account role accessing, as is written in your error message.

I assume that you start with AWS configuration for one account, lets call it "Provisioning" and then you need to assume role in different account (dev or prod) depending on branches or something ?

I smell an error in setup of cross account roles. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

One possibility is : the Rolle you want to assume, does not have your provisioning account as trusted entity.

Another is : the user which is trying to assume the role, does not have the policy for that.

Just follow the tutorial from AWS and see what is missing in your setup :)

Page link:https//www.codepudding.com/net/484397.html

Prev:step function repeating specific step to the N number time
Next:Terraform - Optional Nested Variable
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding