By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to use CDK without using CDKToolkit

0

We use CDK to build infrastructure in the customer's AWS environment. However, It is prohibited to create IAM resources in customer's AWS environment.

Therefore, CDKToolkit cannot be deployed because CDKToolkit in CDK v2 contains IAM resources.

Is there any way to use CDK without CDKToolkit or in the stack without including IAM in CDKToolkit?

Topics
Security, Identity, & ComplianceManagement & GovernanceInfrastructure as Code
Tags
AWS Identity and Access ManagementAWS CloudFormationInfrastructure as Code
Language
English
5hintaro
asked 2 years ago2963 views
4 Answers
3

Probably the best thing to do is provide your clients a CloudFormation template that they can use to bootstrap the account for you. The following command will generate a CDK bootstrap template (note: it's a good idea to add a qualifier to the toolkit so you don't conflict with other toolkits in the same account)

cdk bootstrap --qualifier acme-corp --show-template > bootstrap-template.yaml

There are 4 required roles (deployment, file asset, image asset and cloudformation exec). CDK will lookup these roles by their names. Whatever principal you authenticate to your client's account with must have access to assume the deployment role.

Note that the cloudformation exec role has excessive access by default.

But, if you really want a way around this I would look at creating a custom synthesizer. I've never done this before but I think you could set all 4 roles to be the same principal you already have access to: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-custom-synth

wdavjones
answered 2 years ago
1

Hi there, thank you for your question. What you could do, is customise the templates you are deploying using the CDK. For example, refer to the bootstrapping guide: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html You can get the bootstrap-template.yaml by using this command:

cdk bootstrap --show-template > bootstrap-template.yaml

You can then edit the bootstrap-template.yaml file according to your needs, and deploy it yourself. If you choose to create those roles yourself, you can refer to them in the CloudFormation template.

AWS
Geroen_AWS
answered 2 years ago
0

It's possible to use CDK, run cdk synth to generate the Cloudformation, and to use that to deploy without the bootstrap stack. This was done with CDKv1.

It's slightly painful, but I have needed to do this in the past where the environment required 'pure' CloudFormation deployment via CodePipeline and assuming a role within the target account wasn't permitted.

The CDK stack was synthesised, then aws cloudformation package was used to upload the stacks and assets to the single deployment bucket the organisation deploy setup uses.

Some resources had to be imported with different resource types, in particular VPCs and Route53 domains. Sometimes when importing you had to use features of CDK.Token to reassure the process an imported value was a number.

As was suggested by another poster, a Custom Bootstrapping setup may be the appropriate way to do this.

cloudandmedia
answered 2 years ago
-3

Hi,

We strongly recommend against using your main AWS account for day-to-day tasks. Instead, create a user in IAM and use its credentials with the CDK.

The CDK Toolkit needs to know your AWS account credentials and the AWS region into which you are deploying, not only for deployment operations but also to retrieve context values during synthesis. Together, your account and region make up the environment. refer- https://docs.aws.amazon.com/cdk/v2/guide/cli.html

profile picture
learn2skills
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content