By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cdk pipeline cross account deployenment error

0

Good morning team,

I implemented a CICD CDK pipeline following this documentation

const pipeline = new pipelines.CodePipeline(this, "Pipeline", {
      // dockerEnabledForSelfMutation: true,
      // dockerEnabledForSynth: true,
      crossAccountKeys: true,
      pipelineName: "myPipeline",
      synth: new pipelines.CodeBuildStep("Synth", {
        buildEnvironment: { privileged: true },
        input: pipelines.CodePipelineSource.codeCommit(repository, "main"),
        commands: [
          "cd myapp",
          "npm ci",
          "npm run build",
          "npx cdk synth",
        ],
        primaryOutputDirectory: "cdk-my-app/cdk.out",
      }),
    });
    pipeline.addStage(
      new cdkApp(this, "DEV", {
        env: { account: "123456789", region: region },
      }),
      {}
    );
    pipeline.addStage(
      new cdkapp(this, "STG", {
        env: { account: "987654321", region: region },
      }),
      { pre: [new ManualApprovalStep("approval")] }
    );

Initially, I deployed the pipeline using the 'cdk deploy' command without the second stage. Subsequently, I added the second stage to deploy to the STG account. This addition was made after the initial deployment.

 pipeline.addStage(
      new cdkApp(this, "STG", {
        env: { account: "987654321", region: region },
      }),
      { pre: [new ManualApprovalStep("approval")] }
    );

When I attempted to deploy the CDK pipeline after adding the STG stage, I encountered an error during the deployment process (cdk deploy myCdkPipeline). The error message was as follows:

cdkApp failed: Error: The stack named cdkApp failed to deploy: UPDATE_ROLLBACK_COMPLETE: arn:aws:iam::DEV_ACCOUNT_ID:role/CiCDcdkApp-PipelineRoleBsffAsf-1SffsO63 is not authorized to perform AssumeRole on role arn:aws:iam::STG_ACCOUNT_ID:role/cdk-hndsdsd-deploy-role-STG_ACCOUNT_ID-region (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: fads9-7e5sde-4esd3-9sd7-6ssrrwr; Proxy: null)
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:443:10232)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/lib/node_modules/aws-cdk/lib/index.js:446:153546)
    at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:446:136809

Should I manually update the IAM role in the DEV_account to assume the role created in the STG_account? I believe that roles and permissions are typically created automatically by the stack for cross-account deployment.

However, I'm unsure about how to resolve this error.

Should I make manual adjustments to the roles to enable the role in the DEV account to assume the role created by the pipeline in the STG account?

Thank you for your help.

Topics
Developer ToolsManagement & GovernanceSecurity, Identity, & ComplianceDevOpsAWS Cloud Development Kit (CDK)
Tags
AWS CodePipelineAWS CloudFormationAWS IAM Identity CenterDevOpsAWS Cloud Development Kit (CDK)
Language
English
JessDL
asked 7 months ago343 views
1 Answer
0
Accepted Answer

I resolved this by adding the --trust and --cloudformation-execution-policies options to the cdk bootstrap command to establish a trust relationship between the 2 accounts: DEV and STG

JessDL
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content