I created a project and deployed it to my personal account (678999999999).
My friend David asked me if I can deploy it to his account(123455555555) too.
So I set on my terminal AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN as temporary env variables, and I gave them the values of David's aws account.
When I do cdk deploy to David account I get the following error:
❌ Building assets failed: Error: Building Assets Failed:
Error: Could not assume role in target account
using current credentials (which are for account 123455555555) User: arn:aws:sts::123455555555:assumed-role/
AWSReservedSSO_PowerUserAccess_999999999ed47109/moyshe.zuchmir#gmail.com is not authorized
to perform: sts:AssumeRole on resource: arn:aws:iam::678999999999:role/cdk-hnb659fds-deploy-role-678999999999-eu-west-2.
Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap
the environment with the right '--trust', using the latest version of the CDK CLI.
At this point I tried to do cdk bootstrap to the project under David's account(as I still have the credentials for David's account in my env variables). The bootstrap seemed to work but when I did CDK deploy later on I got the same error again.
Any help?
Thank you!
You can set multiple AWS profiles .
https://kuchbhilearning.blogspot.com/2022/09/configure-aws-profile.html
For an example :
aws s3 ls --profile david
you can use : yarn cdk deploy --profile david
Any command that you execute should be followed with profile else it will take the default account/profile
Related
Is it possible to use a single IAM role (which can access another role) to deploy resources with environment variables CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION?
For example: Below is a piece of code from Jenkinsfile , which uses a role to deploy resources in the account of which it a part.
script
{
withCredentials([string(credentialsId: "sample-role-arn", variable: 'ARN'), string(credentialsId: "sample-role-extid", variable: 'EXT_ID')])
{
withAWS(role: "${ARN}", externalId: "${EXT_ID}", region: "${AWS_REGION}"){
sh '''
cdk deploy --all
'''
}
}
}
In this code sample-role-arn is defined in the account in which cdk deploy --all will deploy the resources. If the CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION are set to different values of which sample-role-arn is not a part, the cdk deploy --all will through error: Could not assume role in target account using current credentials (which are for account xxxxxx) User: arn:aws:sts::xxxx:assumed-role/sample-role-arn/xxx is not authorized to perform: sts:AssumeRole on resource is is expected.
However, if role is created in account set by CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION and made sample-role-arn as trusted entity, yet the same error as mentioned above is encountered despite the fact that sample-role-arn is a trusted entity.
Could someone please advise, if this is possible?
I have updated my cdk from version 1 to version 2, when I tried to do this locally using npm run cdk -- deploy --context awsEnv=dev --all --profile=dev, this works flawlessly.
However when the Circle CI CI/CD pipeline tries to deploy in the same dev environment, it throws an error
User: arn:aws:sts::xxxxxxxx:assumed-role/*******************************************************/jatinmehrotra is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:**************:xxxxx:parameter/cdk-bootstrap/xxxxxxxxx/version because no identity-based policy allows the ssm:GetParameter action
SO basically Circle CI CI/CD pipeline for deployment assumes the roles and create temporary credentials using aws sts assume role command.
Note:- after updating to cdk v2 I can see a new role, which has the same name as the bootstrap ssm parameter. Does that have to do something with error?
As of now, I think the assume role credentials (even though it has sufficient permissions) are not able to access the bootstrap parameter.
After some troubleshooting and carefully reading the error logs, i manually updated the role's permission with full SSM parameters permission whose credentials are being used to deploy the resources.
This resolved the issue.
When use AWS CDK to provision resources in an VPC, it requires me to specify AWS account and region through env environment variables.
I have CLI access to my dev account, but no access to prod account.
I would like to use cdk synth to generate cloudformation template for production account. To do that, I specifies the account ID in .env file.
But cdk synth command returns me following error.
[Error at /whitespace-app-fargate/whitespace-app-fargate/FargateStack] Could not assume role in target account using current credentials (which are for account xxxxxxxx) User: arn:aws:iam::xxxxxxxxx:user/myqinjie is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyy:role/cdk-hnb659fds-lookup-role-yyyyyyyy-ap-southeast-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Is there a ways to run cdk synth to generate cloudformation template without validation?
It is not possible to run cdk synth against an account that you do not have access to.
You need use a role or user that has sufficient permissions to execute cdk synth against production account.
May I ask what is your usecase?
If you want to validate which resources will be created, you can run against your own account but use production stage and production region.
The only thing different when effectively deploying to production will be the account.
I'm trying to deploy my stack to aws using cdk deploy my-stack. When doing it in my terminal window it works perfectly, but when im doing it in my pipeline i get this error: Need to perform AWS calls for account xxx, but no credentials have been configured. I have run aws configure and inserted the correct keys for the IAM user im using.
So again, it only works when im doing manually in the terimal but not when the pipeline is doing it. Anyone got a clue to why I get this error?
I encountered the same error message on my Mac.
I had ~/.aws/config and credentials files set up. My credentials file had a user that didn't exist in IAM.
For me, the solution was to go back into IAM in the AWS Console; create a new dev-admin user and add AdministratorAccess privileges like this ..
Then update my ~/.aws/credentials file with the new [dev-admin] user and added the keys which are available under the "Security Credentials" tab on the Summary page shown above. The credentials entry looks like this..
[dev-admin]
aws_access_key_id=<your access key here>
aws_secret_access_key=<your secret access key here>
I then went back into my project root folder and ran
cdk deploy --profile dev-admin -v
Not sure if this is the 'correct' approach but it worked for me.
If you are using a named profile other than 'default', you might want to pass the name of the profile with the --profile flag.
For example:
cdk deploy --all --profile mynamedprofile
If you are deploying a stack or a stage you can explicitly specify the environment you are deploying resources in. This is important for cdk-pipelines because the AWS Account where the Pipeline construct is created can be different from where the resources get dployed. For example (C#):
Env = new Amazon.CDK.Environment()
{
Account = "123456789",
Region = "us-east-1"
}
See the docs
If you get this error you might need to bootstrap the account in question. And if you have a tools/ops account you need to trust this from the "deployment" accounts.
Here is an example with dev, prod and tools:
cdk bootstrap <tools-account-no>/<region> --profile=tools;
cdk bootstrap <dev-account-no>/<region> --profile=dev;
cdk bootstrap <prod-account-no>/<region> --profile=prod;
cdk bootstrap --trust <tools-account-no> --profile=dev --cloudformation-execution-policies 'arn:aws:iam::aws:policy/ AdministratorAccess';
cdk bootstrap --trust <tools-account-no> --profile=prod --cloudformation-execution-policies 'arn:aws:iam::aws:policy/ AdministratorAccess';
cdk bootstrap --trust <tools-account-no> --profile=tools --cloudformation-execution-policies 'arn:aws:iam::aws:policy/ AdministratorAccess';
Note that you need to commit the changes to cdk.context.json
The only way worked with me is to make sure that ~/.aws/config and ~/.aws/credentials files they both can't have a default profile section.
So if you removed the default profile from both files, it should work fine with you :)
Here is a sample of my ~/.aws/config ====> (Note: i don't use default profile at all)
[profile myProfile]
sso_start_url = https://hostname/start#/
sso_region = REPLACE_ME_WITH_YOURS
sso_account_id = REPLACE_ME_WITH_YOURS
sso_role_name = REPLACE_ME_WITH_YOURS
region = REPLACE_ME_WITH_YOURS
output = yaml
And this is ~/.aws/credentials ====> (Note: i don't use default profile at all)
[myProfile]
aws_access_key_id=REPLACE_ME_WITH_YOURS
aws_secret_access_key=REPLACE_ME_WITH_YOURS
aws_session_token=REPLACE_ME_WITH_YOURS
source_profile=myProfile
Note: if it still doesn't work, so try to use one profile only in config and credentials holding your AWS configurations and credentials.
I'm also new to this. I was adding sudo before cdk bootstrap command. Removing sudo made it work.
You can also do aws configure list to list down all the profiles to check if credentials are being created and stored in a proper manner.
If using a CI tool, check the output of cdk <command> --verbose for hints at the root cause for credentials not found.
In one case, the issue was simply the ~/.aws/credentials file was missing (although not technically required if running on EC2) - more details in this answer.
I too had this issue.
when I checked ~/.aws/credentials, it was having some older account details. So I just deleted that file.
and
==> aws configure
==> cdk bootstrap aws://XXXXXX/ap-south-1
it worked.
when i type serverless deploy appear this error:
ServerlessError: The security token included in the request is invalid.
I had to specify sls deploy --aws-profile in my serverless deploy commands like this:
sls deploy --aws-profile common
Can you provide more information?
Make sure that you've got the correct credentials in ~/.aws/config and ~/.aws/credentials. You can set these up by running aws configure. More info here: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration
Also make sure that the IAM user in question has as an attached security policy that allows access to everything you need, such as CloudFormation.
Create a new user in AWS (don't use the root key).
In the SSH keys for AWS CodeCommit, generate a new Access Key.
Copy the values and run this:
serverless config credentials --overwrite --provider aws --key bar --secret foo
sls deploy
In my case it was missing the localstack entry in the serverless file.
I had everything that should be inside it, but it was all inside custom (instead of custom.localstack).
In my case, I added region to the provider. I suppose it's not read from the credentials file.
provider:
name: aws
runtime: nodejs12.x
region: cn-northwest-1
In my case, multiple credentials are stored in the ~/.aws/credentials file.
And serverless is picking the default credentials.
So, I kept the new credentials under [default] and removed the previous credentials. And that worked for me.
to run the function from AWS you need to configure AWS with access_key_id and secret_access_key
but
to might get this error if you want to run the function locally
so for that use this command
sls invoke local -f functionName
it will run the function locally not on aws
If none of these answers work, it's maybe because you need to add a provider in your serverless account and add your AWS keys.