Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

❗ NOTICE: cdk diff tries to assume 'deploy' role and fails to authorize. #29483

Closed
frfavoreto opened this issue Mar 14, 2024 · 3 comments
Closed
Labels
@aws-cdk/cloudformation-diff @aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/medium Medium work item – several days of effort investigating This issue is being investigated and/or work is in progress to resolve the issue. p0 package/tools Related to AWS CDK Tools or CLI

Comments

@frfavoreto
Copy link

frfavoreto commented Mar 14, 2024

Please add your +1 👍 to let us know you have encountered this

Status: RESOLVED

Overview

Until v2.131.0, CDK CLI only tried to assume the cdk-hnb659fds-lookup-role-* role during cdk diff, regardless the use of --no-change-set option.

Since v2.132.0 this is now assuming cdk-hnb659fds-deploy-role-* as well.

This creates an issue with accounts that have restrictive permissions in place, such as giving permissions for the lookup role to be assumed only.

Expected Behavior

Continue to assume the lookup role only, or mention this change in design on the docs.

Current Behavior

When running cdk diff using a target account without permissions to assume the deploy role, it fails:

[12:31:37] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:31:37] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-lookup-role-xxxxxxxxxxxx-eu-west-1'.
[12:31:37] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:31:37] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-deploy-role-xxxxxxxxxxxx-eu-west-1'.
[12:31:37] Assuming role failed: User: arn:aws:iam::xxxxxxxxxxxx:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-deploy-role-xxxxxxxxxxxx-eu-west-1

Until v2.131.0, only the lookup role was assumed for cdk diff:

[12:54:15] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:54:15] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-lookup-role-xxxxxxxxxxxx-eu-west-1'.

Reproduction Steps

1 - Create an AWS user, assign it a policy with permission to assume the CDK lookup role only:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/cdk-*-lookup-role-*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/aws-cdk:bootstrap-role": "lookup"
                }
            }
        }
    ]
}

2 - Set up this user for use in the AWS CLI agent

3 - Install npm i -g [email protected] --save (same for 2.132.1)

4 - Run cdk diff on any project, it will error out as per above.

5 - Downgrade to v2.131.0 or lower to compare.

Workaround

Workaround to get the expected behavior would be to downgrade to v2.131.0 version of aws-cdk.

Solution:

A fix is in place reverting the breaking change available from v2.133.0.

Additional Information/Context

No response

CDK CLI Version

v2.132.0 and v2.132.1

Framework Version

No response

Node.js Version

16

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

@frfavoreto frfavoreto added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 14, 2024
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Mar 14, 2024
@pahud pahud added p1 @aws-cdk/core Related to core CDK functionality effort/medium Medium work item – several days of effort investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 14, 2024
@TheRealAmazonKendra TheRealAmazonKendra added p0 and removed p1 labels Mar 14, 2024
@SankyRed SankyRed changed the title [aws-cdk]: CDK CLI from v2.132.0 tries to assume 'deploy' role when running diff ❗ NOTICE: cdk diff tries to assume 'deploy' role and fails to authorize. Mar 14, 2024
@SankyRed SankyRed changed the title ❗ NOTICE: cdk diff tries to assume 'deploy' role and fails to authorize. ❗ NOTICE: cdk diff tries to assume 'deploy' role and fails to authorize. Mar 14, 2024
@SankyRed SankyRed pinned this issue Mar 14, 2024
vinayak-kukreja added a commit to cdklabs/aws-cdk-notices that referenced this issue Mar 14, 2024
Signed-off-by: Vinayak Kukreja <[email protected]>
mergify bot pushed a commit to cdklabs/aws-cdk-notices that referenced this issue Mar 14, 2024
@vinayak-kukreja
Copy link
Contributor

Hey all, we have reverted the change that was impacting and released it in v2.133.0. Please let us know if you are still facing the issue.

@frfavoreto
Copy link
Author

Confirmed this issue is gone on v2.133.0. Thanks!

Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/cloudformation-diff @aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/medium Medium work item – several days of effort investigating This issue is being investigated and/or work is in progress to resolve the issue. p0 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

No branches or pull requests

6 participants