AWS CDK new synthesizer version

Question

I have bootstrapped the CDKToolKit stack for new "StyleStackSynthesis" I added this field to cdk.json

"@aws-cdk/core:newStyleStackSynthesis": "true"

This CDKToolKit stack deployed to AWS successfully. I have used this command

cdk bootstrap  --toolkit-stack-name custom-cdktoolkit

But now I try to use the CDKToolKit stack to deploy my CDK application stack, and I receive this massage

 Error: Could not assume role in target account (did you bootstrap the environment with the right '--trust's?)

I use this command

cdk deploy --toolkit-stack-name custom-cdktoolkit

I have also added this to cdk application stack

 "@aws-cdk/core:newStyleStackSynthesis": "true"

Should I add some additional config, etc?

Answer 1

Below methods have worked for me , especially the second one where we have cross account trust and assume role scenario.

Before you can provision the pipeline, you have to bootstrap the environment you want to create it in. If you are deploying your application to different environments, you also have to bootstrap those and be sure to add a trust relationship.

To bootstrap an environment for provisioning the pipeline:

$ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap
[--profile admin-profile-1]
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
aws://111111111111/us-east-1

To bootstrap a different environment for deploying CDK applications into using a pipeline in account 111111111111:

$ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap
[--profile admin-profile-2]
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
--trust 11111111111
aws://222222222222/us-east-2

Answer 2

I just replayed everything you posted on a completely fresh and untouched account.

I'm using AWS CDK version: 1.70.0 (latest at 2020/10/28)

1. add within the cdk.json the "@aws-cdk/core:newStyleStackSynthesis": "true"
2. run cdk bootstrap --toolkit-stack-name custom-cdktoolkit. This was the command you provided in your post.

cdk bootstrap --toolkit-stack-name custom-cdktoolkit

'@aws-cdk/core:newStyleStackSynthesis' context set, using new-style bootstrapping
 ⏳  Bootstrapping environment aws://xxxxxx/us-east-1...
 ❌  Environment aws://xxxxxx/us-east-1 failed bootstrapping: Error: Please pass '--cloudformation-execution-policies' to specify deployment permissions. Try a managed policy of the form 'arn:aws:iam::aws:policy/<PolicyName>'.

So, this already is failing on my side to reproduce.

Every following step is now freestyle, because of missing further information.

3. Add the cf-execution-policies as required:

cdk bootstrap \
--toolkit-stack-name custom-cdktoolkit \
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess

'@aws-cdk/core:newStyleStackSynthesis' context set, using new-style bootstrapping
 ⏳  Bootstrapping environment aws://xxxxx/us-east-1...
Trusted accounts:   (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
custom-cdktoolkit: creating CloudFormation changeset...
[██████████████████████████████████████████████████████████] (11/11)
 ✅  Environment aws://xxxxx/us-east-1 bootstrapped.

4. Alright, let's quickly have a look at the example stack (without any cross-account access as you told in the comments):

// file: lib/cdk-playground-stack.ts
import * as cdk from "@aws-cdk/core";
import * as s3 from "@aws-cdk/aws-s3";
export class CdkPlaygroundStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new s3.Bucket(this, "id", {
      accessControl: s3.BucketAccessControl.PRIVATE,
      encryption: s3.BucketEncryption.S3_MANAGED,
      versioned: false,
      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
    });
  }
}

// file: app/app.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { CdkPlaygroundStack } from '../lib/cdk-playground-stack';

const app = new cdk.App();
// no cross-account environment arguments (like account) passed to the stack!
new CdkPlaygroundStack(app, 'CdkPlaygroundStack');

5. deploy it via your provided command (due to the non-default cdk-bootstrap-name)

cdk deploy --toolkit-stack-name custom-cdktoolkit

CdkPlaygroundStack: deploying...
[0%] start: Publishing dbfc18c149132627081b768fbbfc4bc345aeba4259514174fcd302d8b3926a90:current_account-current_region
[100%] success: Published dbfc18c149132627081b768fbbfc4bc345aeba4259514174fcd302d8b3926a90:current_account-current_region
CdkPlaygroundStack: creating CloudFormation changeset...
[██████████████████████████████████████████████████████████] (3/3)

 ✅  CdkPlaygroundStack

Stack ARN:
arn:aws:cloudformation:us-east-1:xxxxxxx:stack/CdkPlaygroundStack/9b8d4460-1940-11eb-abd9-0e794c84352f

As you can see, there isn't any conflict and with the information you provided, it's super hard to validate what's going on.

What can you do?

• Update to the current version of CDK
• Check your Stack creation and if there's really no argument/props being passed in terms of another account like the ones you are using in your AWS profile/environment variables. Cross-Account deployment needs a specific bootstrap setup, so I asked specifically about that.
• Delete the bootstrapped CloudFormation stack
• Exactly replay what I did