When cdk bootstrapping AWS account A I am utilizing the --trust flag for account B:
CDK_DEFAULT_ACCOUNT=A cdk boostrap --trust B ...
This should allow B to deploy into the A environment.
However, when a code pipeline job (with no ~/.aws directory and no environment variable credentials) in B is running cdk deploy against A it errors out with
failed: Error: Need to perform AWS calls for account A, but the current credentials are for B
The execution role for the code pipeline action in account B has admin access.
How is a process in the trusted account credentialed to deploy to the boostrapped account?
There is a similarly titled question which is for a separate topic.
Thank you in advance for your consideration and response.
When the target A account is bootstrapped there is an IAM Role created in a A with a name like "cdk-...deploy-role...". By passing the --trust B flag when bootstrapping, a Trust Relationship is created in that deploy IAM Role that allows B account to assume the role.
In the B code pipeline you need to first assume the A deploy role:
aws sts assume-role --role-arn <deploy_role_from_A_arn>
Then use the supplied credentials when invoking the cdk deploy command in code pipeline.
Related
Is it possible to use a single IAM role (which can access another role) to deploy resources with environment variables CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION?
For example: Below is a piece of code from Jenkinsfile , which uses a role to deploy resources in the account of which it a part.
script
{
withCredentials([string(credentialsId: "sample-role-arn", variable: 'ARN'), string(credentialsId: "sample-role-extid", variable: 'EXT_ID')])
{
withAWS(role: "${ARN}", externalId: "${EXT_ID}", region: "${AWS_REGION}"){
sh '''
cdk deploy --all
'''
}
}
}
In this code sample-role-arn is defined in the account in which cdk deploy --all will deploy the resources. If the CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION are set to different values of which sample-role-arn is not a part, the cdk deploy --all will through error: Could not assume role in target account using current credentials (which are for account xxxxxx) User: arn:aws:sts::xxxx:assumed-role/sample-role-arn/xxx is not authorized to perform: sts:AssumeRole on resource is is expected.
However, if role is created in account set by CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION and made sample-role-arn as trusted entity, yet the same error as mentioned above is encountered despite the fact that sample-role-arn is a trusted entity.
Could someone please advise, if this is possible?
When use AWS CDK to provision resources in an VPC, it requires me to specify AWS account and region through env environment variables.
I have CLI access to my dev account, but no access to prod account.
I would like to use cdk synth to generate cloudformation template for production account. To do that, I specifies the account ID in .env file.
But cdk synth command returns me following error.
[Error at /whitespace-app-fargate/whitespace-app-fargate/FargateStack] Could not assume role in target account using current credentials (which are for account xxxxxxxx) User: arn:aws:iam::xxxxxxxxx:user/myqinjie is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyy:role/cdk-hnb659fds-lookup-role-yyyyyyyy-ap-southeast-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Is there a ways to run cdk synth to generate cloudformation template without validation?
It is not possible to run cdk synth against an account that you do not have access to.
You need use a role or user that has sufficient permissions to execute cdk synth against production account.
May I ask what is your usecase?
If you want to validate which resources will be created, you can run against your own account but use production stage and production region.
The only thing different when effectively deploying to production will be the account.
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
We had 4 individual AWS accounts for Dev,QA, UAT and Prod.
I need to clone a repository from AWS Prod account with branch name Production.
The problem is I am using the command
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
which is working fine, but I am not sure the cloned repository belongs to which AWS account since I am not providing any AWS account details while cloning the repository to my local.
The clone URL
https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
is same in all AWS accounts.
How to clone a repository from specific AWS Code commit account only?
You'd have to create an IAM role in that AWS account you want to clone the repository from. The IAM role will delegate access to that repository to IAM user/users in the AWS account.
Then, you would have to configure your AWS CLI to use AWS Security Token Service (STS) and assume the role when running commands.
Also, note that, each CodeCommit repository is associated with an AWS Region.
Here's more on assuming roles with AWS CLI.
EDIT:
Here's what's need to be done to enable Cross-Account Access to a repository in a different account:
Repository Account Actions:
Create a policy for access to the repository.
Attach this policy to a role in the same account, and allow users in the user account to assume this role.
User Account Actions:
Create an IAM user or IAM group. Use these to access the repository from the other account.
Assign a policy to the user or group that allows them to assume the role created in the repository account as part of the previous step.
Finally, assume the cross-account role before you attempt to clone or otherwise access the repository. Also, make the necessary changes to your credentials file ~/.aws/config
For example:
[profile MyCrossAccountProfile]
role_arn = arn:aws:iam::123456789012:role/MyCrossAccountProfile
source_profile = user1
Lastly, you need to modify the AWS CLI credential helper so that you use MyCrossAccountProfile
git config --global credential.helper `!aws codecommit credential-helper --profile MyCrossAccountProfile $#'
I am trying to deploy a simple lambda funtcion with the serverless framework. My IAM user doesn't have the necessary permissions to run cloudformation:
User: arn:aws:iam::xxx:user/xxx is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-1:xxx:stack/xx
That's more or less intended, since our setup is using IAM roles to perform certain tasks. I have configured those roles in my ~/.aws/config
file, and for aws cli operations I can e.g. call
aws s3 ls --profile myrole
in that way I attach all policies from the role 'myrole' to my IAM user to execute the aws-cli command.
Is there any way of doing something similar for serverless, i.e. attaching a role (not a different user) to the
serverless depoly
statement?
If I change the role via export
AWS_PROFILE=myrole
or call
serverless deploy --aws-profile myrole
I get Error: Profile myrole does not exist even though the role is defined in /.aws/credentials and ~/.aws/config
OK, I found a solution to get this working. Apparently you need to set AWS_SDK_LOAD_CONFIG to a truthy value, such that the Session will be created from the configuration values from the shared config (~/.aws/config) and shared credentials (~/.aws/credentials) files.
export AWS_SDK_LOAD_CONFIG=1
then execute with
serverless deploy --aws-profile myrole