Reputation: 1000
Cannot assume lookup role
I am trying to deploy an AWS CDK pipeline from Account A (deployments account) to Account B (workload account). As part of my CDK code I am performing a lookup of a VPC ID:
var lambdaVpc = Vpc.FromLookup(this, "VPC", new VpcLookupOptions{
VpcId = Vpc.id
});
However, when my Pipeline runs I get the following error:
Could not assume role in target account using current credentials (which are for account ${DeploymentAccount})
User: arn:aws:sts::${DeploymentAccount}:assumed-role/te-cdk-pipeline-mis-servi-tecdkpipelinemisservicej-UPT0J1RO1RFR/AWSCodeBuild-7bcbd3a0-8159-454b-a886-18f8dd1df58c is not authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::${WorkloadAccount}:role/cdk-hnb659fds-lookup-role-${WorkloadAccount}-ap-southeast-2 .
Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
My Workload Account role has the following policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${WorkloadAccount}:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${DeploymentAccount}:root"
},
"Action": "sts:AssumeRole"
}
]
}
As far as I can tell, this should allow the Deployment Account to assume and use this role. All of these Roles/Permissions were created by CDK/the bootstrapping process.
I have tried deleting my pipeline and redeploying (so that CDK recreates all the IAM Roles/Policies) but no luck so far.
Has anyone come across this?
Upvotes: 3
Views: 4169
Answers (1)
Reputation: 11522
The recommended practice is to synth the app once on a local machine with the necessary permissions to do the lookup, then commit cdk.context.json to git, which will make the pipeline use the cached values and not need to perform any lookups.
What this achieves is the best practice of making your CDK code deterministic - it should always synth to the same template, and making sure you only do the network call once achieves this.
Upvotes: 5
Related Questions
- AWS CDK - Cannot assume role in Lambda for fine grained authorization
- aws cdk IAM Account trust role gives 'Condition must be prefaced by a vendor" error
- Cannot assume role by code pipeline on code pipeline action AWS CDK
- AWS Assume Role: "Invalid information in one or more fields."
- Cannot assume role on EC2 instance
- AWS CDK is keeping ask me to update the IAM role even if I have already setup the permissions
- AWS assume role access denied while using SDK
- Error: "Conditions must be prefaced by a vendor." on creating Role in AWS CDK
- AWS Service Unable To Assume Role
- AWS Assume role with EC2 instance IAM role not working