Aws-cdk: [cdk-pipelines] cdk deploy breaks when bootstrapping with --qualifier

Created on 18 Jul 2020  路  8Comments  路  Source: aws/aws-cdk

I am bootstrapping a new environment using the following command:

cdk bootstrap --profile PROFILE_NAME --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --qualifier=stackname-api

I see that IAM roles are created using the qualifier instead of the random default hnb659fds.

Now when I try to deploy the stack running cdk deploy --profile PROFILE_NAME I am getting the following error

Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): User: arn:aws:sts::XXX:assumed-role/AWSReservedSSO_AdministratorAccess_XXX/SOMESTUFF is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXX:role/cdk-hnb659fds-deploy-role-XXX-us-east-1

Which makes sense since this role doesn't exist. It should try and assume the role with the qualifier instead.

Environment

  • CLI Version : 1.52.0
  • Framework Version:
  • Node.js Version: v14.4.0
  • OS : MacOS
  • Language (Version): JS

This is :bug: Bug Report

@aws-cdpipelines bug efformedium p1
Source
picture nonken
👍6

All 8 comments

If you give me pointers to where and how to resolve this I can open a PR. I dug in but am not sure I fully understand where and how ARNs are generated.

nonken picture nonken on 18 Jul 2020

If you specify a non-default qualifier, you need to supply a DefaultStackSynthesizer to your stack, initialized with the qualifier you used.

This is a failure of documentation.

rix0rrr picture rix0rrr on 5 Aug 2020
👍1

Although I could also see those values being read from context by default, so I will take this as a feature request for that.

rix0rrr picture rix0rrr on 5 Aug 2020
👍1

Thanks! Should I open a new ticket for the docs?

nonken picture nonken on 9 Aug 2020

@rix0rrr Possible for you to share a quick example snippet of using a DefaultStackSynthesizer with pipelines? I'm finding issues as per #9747 and couldn't get it working

aneeshrelan picture aneeshrelan on 17 Aug 2020 
  const stack = new cdk.Stack(/* ... */, {
    synthesizer: new cdk.DefaultStackSynthesizer({ /* qualifier goes here */ })
  });
rix0rrr picture rix0rrr on 17 Aug 2020

@rix0rrr Which seems to be quite similar to what I did, mentioned in #9747, it still fails with the

Policy contains a statement with one or more invalid principals. (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: d2213b60-0def-46d4-8d90-be6a176a51de)

which indicates an incorrect bootstrapping

Am I missing something here?

aneeshrelan picture aneeshrelan on 17 Aug 2020

Bee tee dubs there is already a context key to globally set the qualifier: @aws-cdk/core:bootstrapQualifier

rix0rrr picture rix0rrr on 20 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kent1 picture Kent1  路  3Comments
kawamoto picture kawamoto  路  3Comments
sudoforge picture sudoforge  路  3Comments
schof picture schof  路  3Comments
eladb picture eladb  路  3Comments