Default credentials can not be used to assume new style deployment roles

Question

Following pipelines readme to set up a deployment pipeline, I ran

$ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \
    --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
    aws://[ACCOUNT_ID]/us-west-2

to create the necessary roles. I would assume the roles would automatically add sts assume role permissions from my account principle. However, when I run cdk deploy I get the following warning

current credentials could not be used to assume 'arn:aws:iam::[ACCOUNT_ID]:role/cdk-hnb659fds-file-publishing-role-[ACCOUNT_ID]-us-west-2', but are for the right account. Proceeding anyway.

I have root credentials in ~/.aws/credentials.

Looking at the deploy role policy, I don't see any sts permissions. What am I missing?

score 17 · Answer 1 · edited Aug 25 '21 at 07:08

17

You will need to add permission to assume the role to the credentials from which you are trying to execute cdk deploy

{
  "Sid": "assumerole",
  "Effect": "Allow",
  "Action": [
     "sts:AssumeRole",
     "iam:PassRole"
  ],
  "Resource": [
     "arn:aws-cn:iam::*:role/cdk-readOnlyRole",
     "arn:aws-cn:iam::*:role/cdk-hnb659fds-deploy-role-*",
     "arn:aws-cn:iam::*:role/cdk-hnb659fds-file-publishing-*"
  ]
}

edited Aug 25 '21 at 07:08

João Dias

16,277
6
33
45

answered Aug 23 '21 at 20:07

SAGAR TRIVEDI

171
4

2

I'm getting this error in CodeBuild, which credentials do I need to add it to. I can't seem to find which credentials CodeBuild uses. – zan-xhipe Oct 08 '21 at 14:15
This is the answer I needed as we assume a role before performing a CDK deploy as we also use the AWS CLI. – Dan-Dev Dec 13 '21 at 10:59
7

For those not in china, use "arn:aws:iam" instead of "arn:aws-cn:iam" – Cpt.Ohlund May 30 '22 at 07:55

score 8 · Answer 2 · answered Nov 22 '21 at 06:58

First thing you need to do is enabling the verbose mode to see what is actually happenning.
```
cdk deploy --verbose
```
If you see similar message below. Continue with step 2. Otherwise, you need to address the problem by understanding the error message.

Could not assume role in target account using current credentials User: arn:aws:iam::XXX068599XXX:user/cdk-access is not authorized to perform: sts :AssumeRole on resource: arn:aws:iam::XXX068599XXX:role/cdk-hnb659fds-deploy-role-XXX068599XXX-us-east-2 . Please make sure that this role exists i n the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Check S3 buckets related to CDK and CloudFormation stacks from AWS Console. Delete them manually.
Enable the new style bootstrapping by one of the method mentioned here

Bootstrap the stack using below command. Then it should create all required roles automatically.

cdk bootstrap --trust=ACCOUNT_ID --cloudformation-execution-policies=arn:aws:iam::aws:policy/AdministratorAccess --verbose

NOTE: If you are working with docker image assets, make sure you have setup your repository before you deploy. New style bootstrapping does not create the repos automatically for you as mentioned in this comment.

This didn't work for me. `cdk --version` 2.53.0 (build 7690f43) — Janaka, Nov 30 '22 at 12:52
What is your exact issue trying to resolve? CDK new versions have new style bootstrap anyway. — TRiNE, Dec 02 '22 at 04:06

score 5 · Answer 3 · answered Mar 30 '22 at 13:44

5

This may be of use to somebody... The issue could be a mismatch of regions. I spotted it in verbose mode - the roles were created for us-east-1 but I had specified eu-west-2 in the bootstrap. For some reason it had not worked. The solution was to set the region (by adding AWS_REGION=eu-west-2 before the cdk deploy command).

answered Mar 30 '22 at 13:44

Horacio

51
1
1

oof gets me every time. thanks. – Jon Madison Sep 17 '22 at 11:26

score 2 · Answer 4 · answered Feb 11 '22 at 03:42

I ran into a similar error. The critical part of my error was

failed: Error: SSM parameter /cdk-bootstrap/<>/version not found.

I had to re-run using the new bootstrap method that creates the SSM parameter. To run the new bootstrap method first set CDK_NEW_BOOTSTRAP via export CDK_NEW_BOOTSTRAP=1

score 1 · Answer 5 · answered Feb 03 '22 at 11:52

1

Don't forget to run cdk bootstrap with those credentials against your account [ACCOUNT_ID].

answered Feb 03 '22 at 11:52

user18109458

21
1

score 1 · Answer 6 · answered Apr 19 '22 at 19:23

For me, the problem was that I was using expired credentials. I was trying to use temporary credentials from AWS SSO, which were expired. The problem was that the error message is misleading: it says

current credentials could not be used to assume 'arn:aws:iam::123456789012:role/cdk-xxx999xxx-deploy-role-123456789012-us-east-1', but are for the right account. Proceeding anyway.
(To get rid of this warning, please upgrade to bootstrap version >= 8)

However, applying the --verbose flag as suggested above showed the real problem:

Assuming role 'arn:aws:iam::123456789012:role/cdk-xxx999xxx-deploy-role-123456789012-us-east-1'.
Assuming role failed: The security token included in the request is expired
Could not assume role in target account using current credentials The security token included in the request is expired . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

Getting the latest SSO credentials fixed the problem.

score 1 · Answer 7 · answered Apr 05 '23 at 00:00

TLDR: If you're using CDK Pipelines, add the following to your synth pipelines.CodeBuildStep:

role_policy_statements = [
    iam.PolicyStatement(
        actions=["sts:AssumeRole"],
        resources=["*"],
        conditions={"StringEquals": {"iam:ResourceTag/aws-cdk:bootstrap-role": "lookup"}},
    )
]

For example:


from aws_cdk import aws_iam as iam
from aws_cdk import pipelines

def synth(self, synth_input: pipelines.CodePipelineSource, out_dir: str) -> pipelines.CodeBuildStep:
    return pipelines.CodeBuildStep(
        id="SynthStep",
        input=synth_input,
        commands=[...],
        primary_output_directory=out_dir,
        role_policy_statements=[
            iam.PolicyStatement(
                actions=["sts:AssumeRole"],
                resources=["*"],
                conditions={"StringEquals": {"iam:ResourceTag/aws-cdk:bootstrap-role": "lookup"}},
            )
        ],
    )

It's also recommended you save and load the cdk.context.json file in commands somewhere between synth runs to avoid non determinism.

Resources:

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html#context-lookups

Note: The official docs show this iam Policy should be specified in the pipelines.CodePipeline. There is no role_policy_statements in the pipelines.CodePipeline construct. You need to add it to the pipelines.CodeBuildStep.

score 0 · Answer 8 · answered Apr 28 '22 at 19:45

After deploying with --verbose I could see it was a clock issue in my case:

Assuming role failed: Signature expired: 20220428T191847Z is now earlier than 20220428T192528Z (20220428T194028Z - 15 min.)

I resolve the clock issue on ubuntu using:

sudo ntpdate ntp.ubuntu.com

which then resolves the cdk issue.

score 0 · Answer 9 · answered Mar 02 '23 at 12:10

You need the assumeRole on cdk resources, here is what fixed my assumerole and the s3 bucket warning during deployment:

    {
        "Sid": "assumerolecdk",
        "Effect": "Allow",
        "Action": [
           "sts:AssumeRole",
           "iam:PassRole"
        ],
        "Resource": [
           "arn:aws:iam::*:role/cdk-readOnlyRole",
           "arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
           "arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
           "arn:aws:iam::***:role/cdk-hnb659fds-lookup-role-***-us-east-1"
        ]
      }

Make sure you are configured for the correct region.

Default credentials can not be used to assume new style deployment roles

9 Answers9

Linked