AWS CDK Multi Account Deploy Credentials In Trusted Account?

Question

When cdk bootstrapping AWS account A I am utilizing the --trust flag for account B:

CDK_DEFAULT_ACCOUNT=A cdk boostrap --trust B ...

This should allow B to deploy into the A environment.

However, when a code pipeline job (with no ~/.aws directory and no environment variable credentials) in B is running cdk deploy against A it errors out with

failed: Error: Need to perform AWS calls for account A, but the current credentials are for B

The execution role for the code pipeline action in account B has admin access.

How is a process in the trusted account credentialed to deploy to the boostrapped account?

There is a similarly titled question which is for a separate topic.

Thank you in advance for your consideration and response.

Your explanation should be about right. Can you post your cdk pipeline code? — Martin Muller, Dec 20 '22 at 08:47

Ramón J Romero y Vigil · Accepted Answer · 2022-12-23T11:52:06.187

When the target A account is bootstrapped there is an IAM Role created in a A with a name like "cdk-...deploy-role...". By passing the --trust B flag when bootstrapping, a Trust Relationship is created in that deploy IAM Role that allows B account to assume the role.

In the B code pipeline you need to first assume the A deploy role:

aws sts assume-role --role-arn <deploy_role_from_A_arn>

Then use the supplied credentials when invoking the cdk deploy command in code pipeline.

AWS CDK Multi Account Deploy Credentials In Trusted Account?

1 Answers1