You can find the cdk app that you can use to replicate my issue here varvay/issue-replication.git. The usage instruction explained in the README
I need to deploy CDK app using a role by issuing this command
cdk -r arn:aws:iam::000000000000:role/fooRole deploy
but then an error thrown
Assuming role failed: User: arn:aws:iam::000000000000:user/fooUser is not authorized to
perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/barRole
to be sure, I tried to simulate it by assuming the arn:aws:iam::000000000000:role/barRole
role using arn:aws:iam::000000000000:role/fooRole
in AWS IAM Policy Simulator and it works just fine. One thing that bothers me is that the error said that a User
tried to assume the role, not Role
.
Why is that? or should I assume the fooRole
, update the AWS-related environment variable and then deploy? if so then what’s the point of having -r
option on cdk
as additional information, here’s the trust relationship of the barRole
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: 000000000000:root"
},
"Action": "sts:AssumeRole"
}
]
}
also I even tried to attach AdministratorAccess
AWS managed policy to the fooRole
used to deploy
3
Answers
I managed to fulfill my needs by creating a bash script to switch to the destination role and use the credential to perform the CDK command as the script written below,
So there are 2 ways you might be running
cdk deploy
command from.1- You’re running this command from your local computer’s CLI using IAM keys. In this case, this role must be assumable by the AWS account (IAM User) being used.
2- You’re running this command from any AWS service (cicd agent on EC2 instance for e.g.:) then the role attached with the instance should be allowed to assume this deployment role.
mention how you’re running this command and you might get a better answer.
UPDATE:
Based on the updated question:
Add
assume role
part in your IAM USER not your deployment role. Your IAM User from which you’re trying to deploy should be allowed to assume the role through which the CDK will be deployed.To diagramise it a bit:
The error is in the process of cross account role accessing, as is written in your error message.
I assume that you start with AWS configuration for one account, lets call it "Provisioning" and then you need to assume role in different account (dev or prod) depending on branches or something ?
I smell an error in setup of cross account roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
One possibility is : the Rolle you want to assume, does not have your provisioning account as trusted entity.
Another is : the user which is trying to assume the role, does not have the policy for that.
Just follow the tutorial from AWS and see what is missing in your setup 🙂